Malware Analysis Report

2025-01-02 09:20

Sample ID 230222-qz8r5sdf4t
Target file.exe
SHA256 d182c08bed51b78f1dace83a6aa4bdb26954e7c89c9e7c8f8ae0992d6a315934
Tags
gcleaner lgoogloader rhadamanthys socelars downloader evasion loader persistence spyware stealer vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d182c08bed51b78f1dace83a6aa4bdb26954e7c89c9e7c8f8ae0992d6a315934

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

gcleaner lgoogloader rhadamanthys socelars downloader evasion loader persistence spyware stealer vmprotect

Socelars payload

Rhadamanthys

Process spawned unexpected child process

Detects LgoogLoader payload

Socelars

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect rhadamanthys stealer shellcode

LgoogLoader

GCleaner

Checks for common network interception software

Drops file in Drivers directory

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Script User-Agent

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Kills process with taskkill

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-22 13:43

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-22 13:43

Reported

2023-02-22 13:45

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

GCleaner

loader gcleaner

LgoogLoader

downloader lgoogloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Rhadamanthys

stealer rhadamanthys

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4464 created 2680 N/A C:\Users\Admin\AppData\Local\Temp\ljoinv1t.x1h\JavHa.exe C:\Windows\system32\taskhostw.exe

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Xaebaenuhyku.exe\"" C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4464 set thread context of 5524 N/A C:\Users\Admin\AppData\Local\Temp\ljoinv1t.x1h\JavHa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\42b05055-a5d0-4426-b39c-2607c28ddb5d.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230222134339.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Xaebaenuhyku.exe C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Xaebaenuhyku.exe.config C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133215470146612298" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp
PID 2216 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp
PID 2216 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp
PID 1760 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe
PID 1760 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe
PID 4364 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe
PID 4364 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe
PID 4364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe
PID 4364 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe
PID 2760 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe C:\Windows\System32\cmd.exe
PID 2760 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe C:\Windows\System32\cmd.exe
PID 1488 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\svchost.exe
PID 1488 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\svchost.exe
PID 1488 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\svchost.exe
PID 2760 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe C:\Windows\System32\cmd.exe
PID 2760 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe C:\Windows\System32\cmd.exe
PID 5004 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3180 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe
PID 3180 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe
PID 3180 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp" /SL5="$90048,506086,422400,C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe

"C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe" /S /UID=95

C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe

"C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe"

C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe

"C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vkhxecfp.avq\gcleaner.exe /mixfive & exit

C:\Users\Admin\AppData\Local\Temp\vkhxecfp.avq\gcleaner.exe

C:\Users\Admin\AppData\Local\Temp\vkhxecfp.avq\gcleaner.exe /mixfive

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe & exit

C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe

C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc491446f8,0x7ffc49144708,0x7ffc49144718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe & exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xh5wdcau.5iz\pb1117.exe & exit

C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe

C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4912 -ip 4912

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ljoinv1t.x1h\JavHa.exe & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 764

C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe

"C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe" -h

C:\Users\Admin\AppData\Local\Temp\xh5wdcau.5iz\pb1117.exe

C:\Users\Admin\AppData\Local\Temp\xh5wdcau.5iz\pb1117.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ljoinv1t.x1h\JavHa.exe

C:\Users\Admin\AppData\Local\Temp\ljoinv1t.x1h\JavHa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 772

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc494a9758,0x7ffc494a9768,0x7ffc494a9778

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4912 -ip 4912

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1308 -ip 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 796

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ybdmkjk.fxr\360.exe & exit

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3200 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3236 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4912 -ip 4912

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3760 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4688 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:8

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1364

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\vkhxecfp.avq\gcleaner.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1376

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "gcleaner.exe" /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff685ec5460,0x7ff685ec5470,0x7ff685ec5480

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2781324805837865071,6421071705186674643,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4028 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3008 --field-trial-handle=1968,i,2153075317755119444,17566210481581471969,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 s3.eu-central-1.wasabisys.com udp
NL 130.117.252.18:80 s3.eu-central-1.wasabisys.com tcp
US 8.8.8.8:53 connectini.net udp
US 8.8.8.8:53 18.252.117.130.in-addr.arpa udp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 s3.eu-central-1.wasabisys.com udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 n8w5.c12.e2-1.dev udp
NL 130.117.252.23:443 s3.eu-central-1.wasabisys.com tcp
NL 130.117.252.23:443 s3.eu-central-1.wasabisys.com tcp
DE 52.219.171.182:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 360devtracking.com udp
GB 37.230.138.66:80 360devtracking.com tcp
US 8.8.8.8:53 123.138.230.37.in-addr.arpa udp
US 8.8.8.8:53 23.252.117.130.in-addr.arpa udp
US 8.8.8.8:53 182.171.219.52.in-addr.arpa udp
US 8.8.8.8:53 66.138.230.37.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
NL 142.251.39.100:80 www.google.com tcp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
GB 37.230.138.66:80 360devtracking.com tcp
NL 45.12.253.74:80 45.12.253.74 tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 htagzdownload.pw udp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 www.wohilife.com udp
US 172.67.141.177:80 www.wohilife.com tcp
US 8.8.8.8:53 74.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 www.countlist.top udp
US 8.8.8.8:53 a.dowgmua.com udp
US 188.114.97.0:443 a.dowgmua.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 177.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.ippfinfo.top udp
US 8.8.8.8:53 b.dowgmub.com udp
US 172.67.140.42:443 b.dowgmub.com tcp
DE 178.18.252.110:443 www.ippfinfo.top tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 42.140.67.172.in-addr.arpa udp
US 8.8.8.8:53 110.252.18.178.in-addr.arpa udp
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 68.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 208.48.246.47.in-addr.arpa udp
US 8.8.8.8:53 grt.eiwaggee.com udp
US 188.114.97.0:443 grt.eiwaggee.com tcp
US 8.8.8.8:53 www.profitabletrustednetwork.com udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 192.243.59.12:443 www.profitabletrustednetwork.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
NL 109.206.241.33:80 109.206.241.33 tcp
US 8.8.8.8:53 33.241.206.109.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 12.59.243.192.in-addr.arpa udp
US 8.8.8.8:53 simplewebanalysis.com udp
IN 3.7.139.166:443 simplewebanalysis.com tcp
US 192.243.59.12:443 www.profitabletrustednetwork.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 aribberoviromy.com udp
NL 85.17.80.5:443 aribberoviromy.com tcp
US 8.8.8.8:53 andrexnh.beget.tech udp
RU 91.106.207.103:443 andrexnh.beget.tech tcp
US 8.8.8.8:53 166.139.7.3.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 5.80.17.85.in-addr.arpa udp
US 8.8.8.8:53 be2.com udp
DE 93.104.242.20:80 be2.com tcp
US 8.8.8.8:53 www.be2.com udp
US 104.18.139.241:443 www.be2.com tcp
US 8.8.8.8:53 xv.yxzgamen.com udp
US 188.114.96.0:443 xv.yxzgamen.com tcp
US 8.8.8.8:53 20.242.104.93.in-addr.arpa udp
US 8.8.8.8:53 241.139.18.104.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 app2.be2.com udp
DE 62.245.131.116:443 app2.be2.com tcp
DE 62.245.131.116:443 app2.be2.com tcp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 116.131.245.62.in-addr.arpa udp
RU 91.106.207.103:443 andrexnh.beget.tech tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.isurucabs.lk udp
US 8.8.8.8:53 cslvkney.yu8hyvfgwlgs udp
US 69.46.7.194:443 www.isurucabs.lk tcp
US 8.8.8.8:53 arc.srv.lan udp
US 8.8.8.8:53 194.7.46.69.in-addr.arpa udp
US 8.8.8.8:53 ntp.srv.lan udp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 ferramentasadicionais.s3.sa-east-1.amazonaws.com udp
US 8.8.8.8:53 m.facebook.com udp
US 157.240.24.35:443 m.facebook.com tcp
BR 16.12.0.54:443 ferramentasadicionais.s3.sa-east-1.amazonaws.com tcp
US 157.240.24.35:443 m.facebook.com udp
US 8.8.8.8:53 35.24.240.157.in-addr.arpa udp
US 8.8.8.8:53 54.0.12.16.in-addr.arpa udp
US 8.8.8.8:53 secure.facebook.com udp
US 8.8.8.8:53 www.evoori.com udp
US 157.240.24.15:443 secure.facebook.com tcp
US 188.114.97.0:80 www.evoori.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 15.24.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 iueg.aappatey.com udp
US 45.66.159.142:80 iueg.aappatey.com tcp
GB 51.105.71.137:443 tcp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 siaoheg.aappatey.com udp
US 45.66.159.142:80 siaoheg.aappatey.com tcp
US 8.8.8.8:53 56.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 142.159.66.45.in-addr.arpa udp
US 8.8.8.8:53 edge.msiserver.lan udp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 67.61.205.35.in-addr.arpa udp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 157.240.24.35:443 m.facebook.com udp
US 157.240.24.15:443 secure.facebook.com udp
US 209.197.3.8:80 tcp
NL 157.240.247.35:443 www.facebook.com udp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 update.msiservers.lan udp
US 8.8.8.8:53 clients2.server.lan udp
US 157.240.24.35:443 m.facebook.com udp
US 157.240.24.15:443 secure.facebook.com udp
NL 157.240.247.35:443 www.facebook.com udp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 accounts.server.lan udp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 clients2.server.lan udp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 m.facebook.com udp
US 8.8.8.8:53 www.listfcbt.top udp
US 157.240.24.35:443 m.facebook.com udp
US 8.8.8.8:53 www.typefdq.xyz udp
US 8.8.8.8:53 www.rqckdpt.top udp
US 8.8.8.8:53 secure.facebook.com udp
US 157.240.24.15:443 secure.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp

Files

memory/2216-133-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5HB63.tmp\file.tmp

MD5 cc646fa6fa6af2fbc50f37cfbd67da29
SHA1 7516d944830c012d8663439e9fe6515de6ce6d1c
SHA256 7833d6629388d8b2f5b2e47fcf263e48a61f8147cb68b573f8103802cdcbf9c6
SHA512 0cd1740d89d7f09812fa7926a4f0aadff45e7608173bff05c9e8940ebf0d29e7c670c345164d6ee718a01c57cd8eae6c97fb6c07d9dd2cb983133084d05d4cf1

C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

C:\Users\Admin\AppData\Local\Temp\is-T7BS3.tmp\fITNESS.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

memory/1760-150-0x0000000002390000-0x0000000002391000-memory.dmp

memory/4364-151-0x00000000003B0000-0x0000000000446000-memory.dmp

memory/4364-152-0x00000000024F0000-0x0000000002500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe

MD5 fba3b4b12a0c6c9924132b149147a0a2
SHA1 a776068968a89ff9503e794e4ab0c04bbee6e5f6
SHA256 7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890
SHA512 a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe

MD5 1e8e3939ec32c19b2031d50cc9875084
SHA1 83cc7708448c52f5c184cc329fa11f4cfe9c2823
SHA256 5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808
SHA512 0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe

MD5 1e8e3939ec32c19b2031d50cc9875084
SHA1 83cc7708448c52f5c184cc329fa11f4cfe9c2823
SHA256 5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808
SHA512 0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\a0-ffb97-515-072a3-7bc8bf2f54cd2\Xaebaenuhyku.exe

MD5 1e8e3939ec32c19b2031d50cc9875084
SHA1 83cc7708448c52f5c184cc329fa11f4cfe9c2823
SHA256 5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808
SHA512 0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe

MD5 fba3b4b12a0c6c9924132b149147a0a2
SHA1 a776068968a89ff9503e794e4ab0c04bbee6e5f6
SHA256 7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890
SHA512 a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Xaebaenuhyku.exe

MD5 fba3b4b12a0c6c9924132b149147a0a2
SHA1 a776068968a89ff9503e794e4ab0c04bbee6e5f6
SHA256 7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890
SHA512 a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

memory/1760-186-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2760-187-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/5004-189-0x00000000013A0000-0x00000000013B0000-memory.dmp

memory/2216-190-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2760-191-0x0000000000330000-0x00000000003AA000-memory.dmp

memory/5004-192-0x00000000008B0000-0x000000000091A000-memory.dmp

memory/2760-193-0x000000001B1D0000-0x000000001B236000-memory.dmp

memory/2760-194-0x000000001B980000-0x000000001BE4E000-memory.dmp

memory/2760-195-0x000000001C020000-0x000000001C0BC000-memory.dmp

memory/2760-196-0x000000001B1A0000-0x000000001B1A8000-memory.dmp

memory/2760-197-0x000000001D7B0000-0x000000001D80E000-memory.dmp

memory/2760-198-0x000000001DF80000-0x000000001E28E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93-47660-b9f-0de86-bcc028cd7a81d\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/2760-200-0x0000000000D90000-0x0000000000DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vkhxecfp.avq\gcleaner.exe

MD5 bae2fda3079bd3e78c36218b5c81ef6d
SHA1 140b6bdab3108ae6002d939f98523ee535d67409
SHA256 8477758adafcbd2f292d6a1cf38b8a61e3606eea86e9930d1e347353e26f142b
SHA512 212d08fafb3d517ae8165add85ef54ef36274d80c81010d3410fb9fb2c48719881cb86489e7bc8a107bd77c389f209c78129d585cd05919272c69b081b7fcbcd

C:\Users\Admin\AppData\Local\Temp\vkhxecfp.avq\gcleaner.exe

MD5 bae2fda3079bd3e78c36218b5c81ef6d
SHA1 140b6bdab3108ae6002d939f98523ee535d67409
SHA256 8477758adafcbd2f292d6a1cf38b8a61e3606eea86e9930d1e347353e26f142b
SHA512 212d08fafb3d517ae8165add85ef54ef36274d80c81010d3410fb9fb2c48719881cb86489e7bc8a107bd77c389f209c78129d585cd05919272c69b081b7fcbcd

memory/2760-205-0x0000000020630000-0x0000000020692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe

MD5 1bb6d985b8842b3d23d10b96e9c85afb
SHA1 c6328a00f7f0f4003888704828de1f371dde7b92
SHA256 a29e436e7e209a545f314516f58fef84718871270da8b5c4aede7048b8ee0c31
SHA512 5b13ec6d5ebfda08780f58e5e5c5d6853c5f45d4bd86bb06023c727cd64fb8263c3b2f1d7b0a7f23fb0fdb357b8d546037b793cc549453d5f305074c0a451f1b

C:\Users\Admin\AppData\Local\Temp\4ngd0f4w.vg3\handdiy_3.exe

MD5 1bb6d985b8842b3d23d10b96e9c85afb
SHA1 c6328a00f7f0f4003888704828de1f371dde7b92
SHA256 a29e436e7e209a545f314516f58fef84718871270da8b5c4aede7048b8ee0c31
SHA512 5b13ec6d5ebfda08780f58e5e5c5d6853c5f45d4bd86bb06023c727cd64fb8263c3b2f1d7b0a7f23fb0fdb357b8d546037b793cc549453d5f305074c0a451f1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 462f3c1360a4b5e319363930bc4806f6
SHA1 9ba5e43d833c284b89519423f6b6dab5a859a8d0
SHA256 fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85
SHA512 5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

memory/4912-222-0x00000000007D0000-0x0000000000810000-memory.dmp

memory/2236-235-0x00007FFC65950000-0x00007FFC65951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

\??\pipe\LOCAL\crashpad_1460_MOWMUOJUTXHQSRLS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d2642245b1e4572ba7d7cd13a0675bb8
SHA1 96456510884685146d3fa2e19202fd2035d64833
SHA256 3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1
SHA512 99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 130644a5f79b27202a13879460f2c31a
SHA1 29e213847a017531e849139c7449bce6b39cb2fa
SHA256 1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1
SHA512 fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 24967c65db4f34cc431d889028f1d1f4
SHA1 33ba20a62768df0aacaef7e8104761a1b11bda3c
SHA256 a3ab83354fb11f9a6a975e2fb4f613c376f89c35d924775e376e417346283702
SHA512 7e8acaf2c4ae6ea77e444db8173dfbd867e3a47f71ba199e3c85bd9ef42ca61ce5130c82609699a4f11591392b536335032ed2eb33ea73059ea14ef42108dc31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 ec8ff3b1ded0246437b1472c69dd1811
SHA1 d813e874c2524e3a7da6c466c67854ad16800326
SHA256 e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512 e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 b263be28aac6044f19d2f90988f972a0
SHA1 c01404771726e4132c92396f56aefd4a95650029
SHA256 dd7a47d8a12b945458f1a92e1c0a1844c96a3b489ec07e6883664be32d3c18ed
SHA512 7317c6796165477e33ae156ea00ac0494193d50ce755f494689409a7bd6958da5affedbe5c53ce1417276bf1120d9fb7e8f0ea76aa791971d99f89401f827a87

C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe

MD5 dc719929115e50ed4383bcc7f7182be3
SHA1 562e69bdf814c156872fd6ad6a3d0116b0304516
SHA256 5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365
SHA512 34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe

MD5 dc719929115e50ed4383bcc7f7182be3
SHA1 562e69bdf814c156872fd6ad6a3d0116b0304516
SHA256 5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365
SHA512 34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

MD5 8ecfe69a5cd393d82b3436403273b39c
SHA1 df8e327d933ab476d1d129a2d02df1c7592eb6e0
SHA256 44cd9a4d44530fd6c9aad1e02a0993353da85d20d208d9fa7743200800ecbc4b
SHA512 681341f6c8fb4e73b2e63141153ff6abda0de927e0d6f58e19dc0f9e76707fe93c7e1377d7667d9962580717128fb9450b892d8e74478459eed57e5afc963786

C:\Users\Admin\AppData\Local\Temp\5plgsirp.djz\chenp.exe

MD5 dc719929115e50ed4383bcc7f7182be3
SHA1 562e69bdf814c156872fd6ad6a3d0116b0304516
SHA256 5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365
SHA512 34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

C:\Users\Admin\AppData\Local\Temp\xh5wdcau.5iz\pb1117.exe

MD5 b0b6107d070707ecb8676600fd80fb57
SHA1 80483ae177f32245fcdd9307af6478f551d02f5c
SHA256 74db730bd2dfb2f2e794f33f7df0fa5e68e43520b109449508682df3017d7d26
SHA512 f12c2ef136e63f2322fd877184cccc5105e87b3064cdc2e78108562c3d5e5108828d2cd25635c7949553a4e6a443b5fc8c473efa4b6e96d57f0a3e8c000d7791

C:\Users\Admin\AppData\Local\Temp\xh5wdcau.5iz\pb1117.exe

MD5 b0b6107d070707ecb8676600fd80fb57
SHA1 80483ae177f32245fcdd9307af6478f551d02f5c
SHA256 74db730bd2dfb2f2e794f33f7df0fa5e68e43520b109449508682df3017d7d26
SHA512 f12c2ef136e63f2322fd877184cccc5105e87b3064cdc2e78108562c3d5e5108828d2cd25635c7949553a4e6a443b5fc8c473efa4b6e96d57f0a3e8c000d7791

C:\Users\Admin\AppData\Local\Temp\ljoinv1t.x1h\JavHa.exe

MD5 16953811f51327a0fe686114254f292d
SHA1 3374798a0510b4eeda38fc56dc17641cee641c0a
SHA256 5f41ff61fd5b5b8596e8912be5299f855251ec7af961740a752f09cf4a6cb67a
SHA512 1f5393399b468869bfcc70064876d5d43d8e86c5eefd67dd23e3ff68fd3163914ff063065990ad3cf78d179d3998abca0fe602a71f5f2bc500847fdfec33e257

memory/760-373-0x0000000140000000-0x000000014061B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ljoinv1t.x1h\JavHa.exe

MD5 16953811f51327a0fe686114254f292d
SHA1 3374798a0510b4eeda38fc56dc17641cee641c0a
SHA256 5f41ff61fd5b5b8596e8912be5299f855251ec7af961740a752f09cf4a6cb67a
SHA512 1f5393399b468869bfcc70064876d5d43d8e86c5eefd67dd23e3ff68fd3163914ff063065990ad3cf78d179d3998abca0fe602a71f5f2bc500847fdfec33e257

memory/2760-380-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/5004-383-0x00000000013A0000-0x00000000013B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 1b20e998d058e813dfc515867d31124f
SHA1 c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA256 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA512 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 1b20e998d058e813dfc515867d31124f
SHA1 c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA256 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA512 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 76c3dbb1e9fea62090cdf53dadcbe28e
SHA1 d44b32d04adc810c6df258be85dc6b62bd48a307
SHA256 556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860
SHA512 de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

memory/4912-413-0x0000000000400000-0x000000000057C000-memory.dmp

memory/2760-414-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/4464-415-0x000000000F2D0000-0x000000000F5CD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2bd089522b71dd2e6569cf4dbd69b222
SHA1 a2b4409d48376f611aa238341e60f4a19f9625f6
SHA256 147f6798ad4cbc68c2404f343db9a3cd4140c3a503233d9c5bf92be4500c6009
SHA512 359037169c91a500df98a13aae3194d1685ba503e6d9545d7473574cb38265821bb364f45b7138c1b81e087e73c8aca8b17837e6510a575571eb78735845152c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5dfa5b2ee4ab1fbdc6018e59fece1540
SHA1 2d106596a6eb9ed8e902c7b543f89d2fbec89ca4
SHA256 17e264a62fa2cc39b95d0890daef64b3fb43069c4a7917475bdd90799be52fb6
SHA512 3048f849f4b48b83c1ce4ef36f2c607d24612a2e686dac927757e661f4b524d04e457f8b681c3e6b4a86cb1624dc8ba4be003d61f57b88a617cf129f218619ca

\??\pipe\crashpad_1680_VUMKRJDUDFWEDJZR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

MD5 362695f3dd9c02c83039898198484188
SHA1 85dcacc66a106feca7a94a42fc43e08c806a0322
SHA256 40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca
SHA512 a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

MD5 c31f14d9b1b840e4b9c851cbe843fc8f
SHA1 205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4
SHA256 03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54
SHA512 2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

MD5 05bfb082915ee2b59a7f32fa3cc79432
SHA1 c1acd799ae271bcdde50f30082d25af31c1208c3
SHA256 04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1
SHA512 6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

memory/4244-427-0x00007FFC65950000-0x00007FFC65951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ybdmkjk.fxr\360.exe

MD5 77c8c5a05189b38922ab5b88e319737b
SHA1 ec3e6708dc8f067e57dc8a763cd20c88557acc18
SHA256 a729f8d5bb0507a9dad84f93e3d7d4326a66d429ef4c1a66260177ade5007d63
SHA512 f9e83afcf5a4dd923820d2a0d1de656588456d86287ff553d032f78604f2d58f239e74dce6e47ef471f14fe7b400e8746122c397b8f211c8859a1f656837b171

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

MD5 dff0b027fe04d03d1d9ec99062c13cb0
SHA1 be04feeddd3ffb50b30f6891e7d9a3f550c2e57d
SHA256 865206d9e1a8ff96d6642efe60c8865b12433861ec4085ecce063a897d47ddef
SHA512 9c16ada61b574b52b3ce21e3586c03e4382407d672c33aeda77f6670496b2d4d09c3ab13b8f96597ebbaae4fee29c30efc929e5503a25e8b470c6125683f52b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 097310ad8becb9f41c1c1795f5aa3bf2
SHA1 887390ed10883306da98619c680487b52246806f
SHA256 45343ecdfab392cf0f2713ba903c53d133743cb7e80f0aa6c14f64fff58800ec
SHA512 9e6d714dd61b21877c49559ae8b3b5b77525bb62b7987d930ce28caf46b27bd41a8263722a4fd898fa8d56a6dba0d171fcc05e5e9a63350e1967138f1ae444ed

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

memory/5524-483-0x0000000000400000-0x0000000000437000-memory.dmp

memory/5524-485-0x0000000000400000-0x0000000000437000-memory.dmp

memory/5524-486-0x0000000000400000-0x0000000000437000-memory.dmp

memory/5524-488-0x0000000001560000-0x0000000001569000-memory.dmp

memory/5524-489-0x0000000001580000-0x000000000158D000-memory.dmp

memory/5708-497-0x00007FFC651D0000-0x00007FFC651D1000-memory.dmp

memory/5708-502-0x00007FFC652C0000-0x00007FFC652C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240589781.dll

MD5 8596736c157f4e9d597e640b5fd272c2
SHA1 52c13d50177761027cf834200909cb8871e2bfc0
SHA256 7788d59ce9a3935ac67aadd1d6da93feb8a6c2c4ee8b53fba51b93a8f42b3a7a
SHA512 ceb67ced3657617fbe6485642e92c44e672fc39f4c1770a92323bccee636aebeea3b788b9297787db1bb0945e194f2aa245e7f02743207577eca160488ca7d37

memory/5848-505-0x0000000000B90000-0x0000000000BC3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 ce0bf984f71f342568563059861ea5c7
SHA1 f3733c4fcf745be7cfd27d3c8df9b741161ab6a1
SHA256 1cef24acda158d7f0f6a03b6de32084cb127a113d8a0735e0dfb918dd36d23c0
SHA512 5cd6f8c6ce84619ca4810ec30fe734ddc7bf51e532b0176d446b02408c1c9e32ba0eca5033cd6ad99776be53faa37db3ea24bcb400b55a6ddb55e986c2fa7806

memory/4912-532-0x0000000000400000-0x000000000057C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7eeca61e8d6b92b3c1b2d0b46e4d12b4
SHA1 ac62b726210683a1fc6a4931029840be58af042b
SHA256 ee70c83795bc7add769f2f407989b2e65073feb762ab2f501175b920a501a487
SHA512 316800f5e8fc255db90bebfea721f11cebe4254292ed663285d090912eefd661d70ff84c193cb17df73c93df461c496fc58954e561a744c1a5252884c3cf67b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3ae1635b-5d20-4f04-8598-d76914ada018.tmp

MD5 50946888df1f28e14cbd7501be8b3640
SHA1 20f08ff5e25de15c6b2c859b58086f5094bbd471
SHA256 a164bb0407892cfaf0c338fdc6b0444ecaecf26c62a6ae0550bf7ecf5c1b5547
SHA512 893c1dd7b8b5f4f2fcbdfcb1030dc5c162cdb326aad6186cb35bb602eaac7697052c13ddba9c1a5cf6f61146cc58945b6515d933f6a109254f81509d27af1201

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 00677b00c6461f3ff6fac47ede1fe3fd
SHA1 f4e6c0fb59c273590ed1f165a0a3b8b51c7ca978
SHA256 16810c32bf99ad46a0c74793eea97353ee82231e92a1a62a7f5687b3fba1ba14
SHA512 cf31760d4dcf910dc8ad88ae984fc5bb65a58e197f8356b73301528dda2616b2a2b5802a40d16781296cbad85970978e92a188fcd6a9b2107497d3dd31763e9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8bc218355375c562b72b1fb35293ee96
SHA1 482909ba97748db230afc679041f89ec7f6ab4fe
SHA256 d777a0c6c2f5a201fbcdc8b028cb56b7010361e72bb928d966687d0cef765fb8
SHA512 abf8012e5a8312c575a6f8ce1c19be46739b6b9b396df631b1f7708c7a3d02f9cdfcf1817207eee938aba90164cfec2bbe295b54b45104ccf4fa0347b6d9bc71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 dc2cb5816288f53a1fe1dee75b680fcf
SHA1 f7b67bdb00802165b320bdd95130fe87688489b5
SHA256 a8f7b3e5d52fad8dd91a0e9c66a79208d67b2a518cf7a754b5141e133e671e38
SHA512 32386f87f5bcd6da68b62fef6eac070a0017bbb80d306a06901d11610bd225409a5632bee8515cc28de478bd8651227d017a88c07e1a84651cdef94ea24d049a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7260073be8269f0d3e7860b9ad11f588
SHA1 648fd366e0e6d30e66905a4270c768561d2e9374
SHA256 c279c00d654030b750a62b034b9c1b320982c8277ee2bb6fa82f1994ef770baf
SHA512 fed0976be21c73db4735ab6a2aee3f89c7d7200897dda55665881cdbb110d1156e6dac60faeec87050ac4504f73dcc45110f739c1dbae6824a9e78b92e0fdf0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 18800a4e209bc17000d1f92028145737
SHA1 5735e4db835c7909d29165edc189d90f734c1288
SHA256 657410bbfb84e812abb4932013d0529963878b517f13b63c132cdb4c85990802
SHA512 20d521e53b8f6d880dd5d3b378e2fcb62ca6bf50634ea7cd1c0bf7ede6905898906a8e894807ce76408dcf0206212112ca7ec811e1905ee0eedf7cd84a2df540

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe574a47.TMP

MD5 200aff2ea1c9145a90aeb17dc123c4b2
SHA1 923b08ff883d78f06b9916d11e761632465f6953
SHA256 fc71feb2c370cc9e81905cf7c763ea86423c03f6f08b47a6111c5763b71f8157
SHA512 a183565465e1e52e8d451a34240772c8734ac5810e710427b342f900c8117e2de8482090fb0be64bc7cace149e58b4bdf8982567abcb68bd8895a50487001e65

memory/5848-630-0x0000000000F60000-0x0000000000F7C000-memory.dmp

memory/5848-641-0x0000000000F60000-0x0000000000F7C000-memory.dmp

memory/5848-642-0x0000000000F40000-0x0000000000F42000-memory.dmp

memory/5848-643-0x0000000000F40000-0x0000000000F43000-memory.dmp

memory/5848-647-0x0000000000B90000-0x0000000000BC3000-memory.dmp

memory/5848-646-0x0000000000F60000-0x0000000000F7C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 113e2ff31a7f9f7776f04e958cbee57e
SHA1 7282a032ad39176d76aa78eacb0b1f73e604eb1c
SHA256 910a02e7afe245f4d1327e818459a39c0557b250d2c5ac400ffe9b69563804dd
SHA512 ef2324620e0ab46b8da29f9abf9a1bb4102c3bbf3050ddcfc7bc6c4ee1fb7f24e8ed7ab82040f3b3743df90957530c5e5a4389e1a0fdc3c544a41afd8da2206f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 085301666d006b7861b46ddf2c379d29
SHA1 6e816551d66f65ad59d93612a6d88e3e5ce8e3e6
SHA256 434bfe5348568a085a85d10ac4f60efa82d63ed1aed0fb2c6938f3a6036b8203
SHA512 4f9fb6c92c83f0f4d8c7c7c286c4bc797a14d6bc4f0f201c03f7cd21801ea22c5b49bee83e947e562e3bf1e574b62dfa731fb2c225fd5577603136b5b842a809

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c40bd8ca638dfbc17ba005def362c670
SHA1 91fb857f243f2d356491b6c63bc7aef93d6c8c21
SHA256 b9160841b65b8848ee446f7439af925c6f181eb35fdb6bd4583ac7bfa576c7cf
SHA512 e1683ba03fdda6f576d0f00d975b87e28d85cf6aee99a965b2e308106299659dfa1b5d812ecfb90bad1af19c348afc9536ec8e670225fb505526177c138541a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bd79f44776029f40ca0f1134bfac8207
SHA1 1e3a44c4710f5acb2c7ccac59c35c27016777c32
SHA256 504770d086041f5926af3a595b818fcecd54f26bbf220fa65d5a015038935edd
SHA512 26ea5c4ed60112ee55a5a2da9196f098d205c2d37a8c11e44802a27f27e594543ee0fa20a814870ef08ba357ae9afdc9dca40500fe3d59f436122d15376504e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d36e5a374fb86b47daa41d0c15bfc717
SHA1 7205e7fa6346118e7eb09484a0e1b2ef77e0e772
SHA256 89cad58c1c01fc2d6d31fe4da3fd58ddb0023b78d652ec9633f31f234bf8c030
SHA512 f8bdfdd488518ca978b9fd04de6b80a4668a6132c3eb683903c1c42a8b54bcd85ef3d706b21e78de3458b7383e7bd7d2b792e0269bf0ceae174304360bad99cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 dba183a01ba1885fab35014d6d0d99e4
SHA1 ac31f0198ac58859f30ebf99bc18f34beb53197e
SHA256 fd33ee1250bdca72906eb5b7c750b4d38b0eb80739ea48b02eea65914a9596eb
SHA512 be06e35b0c92f3379e0827ea3e1940596165e94cda4e570638c2b51d361c5672a46f0c5832f34db005df4fa8374abd0517c1a1620c089d94477bb43f9f5cf140

memory/5440-733-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-732-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-734-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-739-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-738-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-740-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-742-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-741-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-744-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

memory/5440-743-0x000002A20D4B0000-0x000002A20D4B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-22 13:43

Reported

2023-02-22 13:45

Platform

win7-20230220-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Uninstall Information\\Relyjaegigi.exe\"" C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defender\FFKTRUJUED\poweroff.exe C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
File created C:\Program Files (x86)\Uninstall Information\Relyjaegigi.exe C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
File created C:\Program Files (x86)\Uninstall Information\Relyjaegigi.exe.config C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\ = "155" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "140" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "91" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\ = "140" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "51" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "112" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\ = "1109" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "60" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f35fd4ec1ca1494aa57fdd0dc6b810a4000000000200000000001066000000010000200000008f0c65f913073578e452a378632caba33390f534724a82058dc53c55909eea07000000000e8000000002000020000000ec3ae42b9b14588e9ec43b8e63c83bd0d6eb45cb9ee304bedf36e045a627262b20000000c21ed72d19a26321726def2533ef9d8701aa6ce67a09c644649214d37f2760f740000000112b993b8118f2f248fa68b432302b3609248ea82d9f06df7418b646fa572bf254eb5c2a53a169df9c3f1484ce6f36c7ccc9cba3742fdafb0fccc0da75488bab C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\ = "1067" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "187" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "187" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "51" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "155" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4169DD21-B2BF-11ED-99C3-E6255E64A624} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\ = "187" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1109" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "155" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "91" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "140" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5030421dcc46d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "112" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DOMStorage\chikiporn.com\Total = "1109" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp
PID 1704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp
PID 1704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp
PID 1704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp
PID 1704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp
PID 1704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp
PID 1704 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp
PID 2028 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe
PID 2028 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe
PID 2028 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe
PID 2028 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe
PID 1784 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe
PID 1784 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe
PID 1784 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe
PID 1784 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe
PID 1784 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe
PID 1784 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe
PID 612 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1176 wrote to memory of 756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1176 wrote to memory of 756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1176 wrote to memory of 756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1176 wrote to memory of 756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1648 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 1648 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 1648 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp" /SL5="$70122,506086,422400,C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe

"C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe" /S /UID=95

C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe

"C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe"

C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe

"C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:2

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 1660

Network

Country Destination Domain Proto
US 8.8.8.8:53 s3.eu-central-1.wasabisys.com udp
NL 130.117.252.19:80 s3.eu-central-1.wasabisys.com tcp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 n8w5.c12.e2-1.dev udp
US 8.8.8.8:53 s3.eu-central-1.wasabisys.com udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 s3.eu-central-1.wasabisys.com udp
NL 130.117.252.10:443 s3.eu-central-1.wasabisys.com tcp
NL 130.117.252.24:443 s3.eu-central-1.wasabisys.com tcp
DE 3.5.136.176:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 360devtracking.com udp
GB 37.230.138.66:80 360devtracking.com tcp
NL 142.251.39.100:80 www.google.com tcp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 google.com udp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 www.profitabletrustednetwork.com udp
US 192.243.59.12:443 www.profitabletrustednetwork.com tcp
US 192.243.59.12:443 www.profitabletrustednetwork.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.170:80 apps.identrust.com tcp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 kts.cvastico.com udp
NL 62.122.168.42:443 kts.cvastico.com tcp
NL 62.122.168.42:443 kts.cvastico.com tcp
US 8.8.8.8:53 kts.vasstycom.com udp
NL 62.122.173.28:443 kts.vasstycom.com tcp
NL 62.122.173.28:443 kts.vasstycom.com tcp
US 8.8.8.8:53 chikiporn.com udp
US 104.21.235.23:443 chikiporn.com tcp
US 104.21.235.23:443 chikiporn.com tcp
US 104.21.235.23:443 chikiporn.com tcp
US 104.21.235.23:443 chikiporn.com tcp
US 104.21.235.23:443 chikiporn.com tcp
US 104.21.235.23:443 chikiporn.com tcp
US 8.8.8.8:53 chikiporn1.vanessadelriomovies.com udp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 104.21.234.109:443 chikiporn1.vanessadelriomovies.com tcp
US 8.8.8.8:53 mc.yandex.ru udp
RU 77.88.21.119:443 mc.yandex.ru tcp
RU 77.88.21.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 st.tubecorporate.com udp
US 188.114.97.0:443 st.tubecorporate.com tcp
US 188.114.97.0:443 st.tubecorporate.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1704-54-0x0000000000400000-0x000000000046D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp

MD5 cc646fa6fa6af2fbc50f37cfbd67da29
SHA1 7516d944830c012d8663439e9fe6515de6ce6d1c
SHA256 7833d6629388d8b2f5b2e47fcf263e48a61f8147cb68b573f8103802cdcbf9c6
SHA512 0cd1740d89d7f09812fa7926a4f0aadff45e7608173bff05c9e8940ebf0d29e7c670c345164d6ee718a01c57cd8eae6c97fb6c07d9dd2cb983133084d05d4cf1

C:\Users\Admin\AppData\Local\Temp\is-BDFJN.tmp\file.tmp

MD5 cc646fa6fa6af2fbc50f37cfbd67da29
SHA1 7516d944830c012d8663439e9fe6515de6ce6d1c
SHA256 7833d6629388d8b2f5b2e47fcf263e48a61f8147cb68b573f8103802cdcbf9c6
SHA512 0cd1740d89d7f09812fa7926a4f0aadff45e7608173bff05c9e8940ebf0d29e7c670c345164d6ee718a01c57cd8eae6c97fb6c07d9dd2cb983133084d05d4cf1

\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2028-71-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

C:\Users\Admin\AppData\Local\Temp\is-ACUJI.tmp\fITNESS.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

memory/1784-77-0x0000000000A90000-0x0000000000B26000-memory.dmp

memory/1784-78-0x00000000005A0000-0x000000000060A000-memory.dmp

memory/1784-79-0x000000001B020000-0x000000001B0A0000-memory.dmp

memory/1784-80-0x0000000001F30000-0x0000000001F8E000-memory.dmp

memory/1704-81-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2028-82-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6471.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\Local\Temp\Tar6A1E.tmp

MD5 73b4b714b42fc9a6aaefd0ae59adb009
SHA1 efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256 c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA512 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe

MD5 1e8e3939ec32c19b2031d50cc9875084
SHA1 83cc7708448c52f5c184cc329fa11f4cfe9c2823
SHA256 5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808
SHA512 0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe

MD5 fba3b4b12a0c6c9924132b149147a0a2
SHA1 a776068968a89ff9503e794e4ab0c04bbee6e5f6
SHA256 7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890
SHA512 a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

memory/612-125-0x0000000000CC0000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b6-17fd4-feb-3b083-db8f92a61a9f1\Jojocaebigo.exe

MD5 1e8e3939ec32c19b2031d50cc9875084
SHA1 83cc7708448c52f5c184cc329fa11f4cfe9c2823
SHA256 5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808
SHA512 0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

memory/1648-127-0x0000000001080000-0x00000000010FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\af-360d3-14d-8caac-a908e1d7b484a\Jojocaebigo.exe

MD5 fba3b4b12a0c6c9924132b149147a0a2
SHA1 a776068968a89ff9503e794e4ab0c04bbee6e5f6
SHA256 7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890
SHA512 a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

memory/1648-147-0x0000000000900000-0x0000000000966000-memory.dmp

memory/612-148-0x0000000000B60000-0x0000000000BE0000-memory.dmp

memory/1648-149-0x0000000000970000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bdd661b92c68296fe33b9193b8cff46
SHA1 1ccea4f8415a8409ca8b9771ea8f24a843e86ada
SHA256 fc796dc2ff8d0e29fde1adcf8dea41cc6044e335d5327819dbb9554146243d9b
SHA512 3b100e7fdefc306455ad4858071da45036face37d18ef67593d30bf26ab3e28fb8a3e64b1bca1b240480431607c8d2f35015ff097936cc5e378f9fa32986edbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bdd661b92c68296fe33b9193b8cff46
SHA1 1ccea4f8415a8409ca8b9771ea8f24a843e86ada
SHA256 fc796dc2ff8d0e29fde1adcf8dea41cc6044e335d5327819dbb9554146243d9b
SHA512 3b100e7fdefc306455ad4858071da45036face37d18ef67593d30bf26ab3e28fb8a3e64b1bca1b240480431607c8d2f35015ff097936cc5e378f9fa32986edbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 078e40ee11db115e0528633671f0e7ed
SHA1 2e06342bb44a752a310f8021b80b7fde26ab8abb
SHA256 0e6fe26e5c23ab3007ba727e904cefe913f9d4f423aa1596cfea635590e63fa7
SHA512 abbd864179dd17681ac6b57abb060209608d227968098c13719235ad4fb8c6d7f5969fa233038124d5b663c2977e5cdb78bb02fcd9da5b1dc2f4e48941198da5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aeb8caaf189a068e1c3120b5614457c6
SHA1 140d585a6069f3c92e04d3705042b3e15f2a088e
SHA256 9cebac1ecd5797f7492afac319f065b507715b22dcb64179752dfb7905c391f7
SHA512 9f8ff8d8c2a9a008820fb429499cddd9c0ce024884966cd6b2e7f4a22b790d7957c9e9988b167e40e62512956cb9f20d52cdb0e5ce53dcfc8e3371a66619a1c6

memory/2028-263-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1704-265-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1176-266-0x00000000020C0000-0x00000000020D0000-memory.dmp

memory/756-267-0x0000000002B70000-0x0000000002B72000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adf65df778430b613c2da82eb947b485
SHA1 e6e512c6a5afa2198d067764bc559a9904c512c6
SHA256 9d72ea1b3c2537eb9b746fba9af82b1f035066512a175b168e49fbda6d38a551
SHA512 c45459a27538406b4587a3a6288e9cdaa29a6a01bd3d695068b852fbca8600ab07b1cf10d6ecd0c8578778f1bd0122196912cd56f7709a1e2615741bce5ee620

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 121cfdf1e7cc564e3ca4d2c4cd12b740
SHA1 e5f02333fa325953d1c77e206120c1fc697c0423
SHA256 10fea284ab7b406fc4f1930a02617f10bb6c1a86fd401071f9e122b68a19770c
SHA512 23054269d572fd6f1fe2900b118b24b177a6be8fa9e161da272a6a74efbe11dc9181cc18d9fe4aa1174edabd5586edb40629cd82a283dd41ead8e3f8c51242e3

memory/1648-369-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/1736-370-0x0000000000660000-0x0000000000661000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1eea931b63db5400efb8a5872e4d7fa
SHA1 0f49993588b55107481fb4c237d0b5e941e1f5ab
SHA256 793e22fc5b48562b347483700fe2262c1c2d387b4a7546b5d1a17afa1b5e2c97
SHA512 3b328fe64ed783407977f26c30eace784be7f9835528f23794cbaac7d0a40ee6532de9e4acf8533702ea0e7ab2d7b7bf0283837774d9c1e4a08862b1d7a3b927

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 528edabf42f3d1a6128c0524c995d766
SHA1 dca4edc3490d71d408d79221bf25f00e3bc22cb2
SHA256 e383d1c44d86d77f73d95392466792aa1c50f88d5bd27865ec1646f266202aa5
SHA512 4dbed68deb771d86c3ba6426d61213f793addf9d70571edede853c8f881f070ab3f089d6826bbc755cafdd9804839e1ac1a2ac3d4947724c3a43991bd8d06007

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_1A783AD6B904DB7FAD25A0A4C9FCD3F3

MD5 a24312f3bfee80407fc58774e39661c8
SHA1 20efb4a60ea71eafcbea65ae29be8d1c55306491
SHA256 0e39a936ed1d1f4d13a881966eb80d97a9ec61bc8ea5b25a08a79d00617b5894
SHA512 b055f5ec2a520c33509a6f7419132c19dc98dc84f78dfb637a122d23067579e40aa1ea96b9077b4a3e64c4c549dddd360f27a2a32b12f0e8993782a51429b190

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\C2GJ8YZR\chikiporn[1].xml

MD5 d499551eb9b1ee69b62c5191370a1484
SHA1 e15a02dbc5942e698fbba3678fc19a74f178a8c3
SHA256 ad5280f92aa2fd44ccb6fcec22bbd0d442be3bde6afe981b982a03ce198b1bcb
SHA512 53b9ea0b850343fb336891bf6776e0909161b38098ee903c54281961a62bc3efa8dd8407e43d9b1bd0be1ab9a1a2ddc245ab53cd8e5d77cc05c1730ad91f80a9

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\C2GJ8YZR\chikiporn[1].xml

MD5 05cac5d6b4c9abd3063d84287c5d97be
SHA1 44fc69b89dbdfcf765d9a6b5570fbc8ebb7ccab2
SHA256 f266302b345de1fb2e87307a052a8c73d06638d7659a76c6bf6f49c7fc47a802
SHA512 d3cc0306e9b088afc2336ecdd458c2caf91d75960add5a9b76837835e6af8536bf7c6d286d08180fe2ca7228ab34b8353358b55a8894be36e0bb9428e45b6885

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BYN4WSI\favicon-32x32[1].png

MD5 4d91506e6590bae5f45c639afc80b706
SHA1 b855388120c2388827da44dff075c7e0945c5123
SHA256 76d1917f2d280713ef29ee7187778d2ed200babc279350439404bcb6944b5830
SHA512 01306b2e26cd599dc1ee2946b0e63a45e8513f9d65291a7419b410cb10e47c51d27ecb52d6fe03e995c4327db1c8cc73e4baaefdc375070f1afd39a1b409a65d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\x4s3ygl\imagestore.dat

MD5 bb619018c4598e21e6704e0ea7ae4b12
SHA1 ca16b8852919b787a32a3151ac9c8df3bc8532c7
SHA256 5e9eeb5fd76d64920985576bb714cf4508822498d954511e146571e2b3850dbb
SHA512 e7ba70fa0b546a4a42e36ce8b3f22961bc00a7bde365d7fcb55f2768c8475a45fffd996c41f6adbd556c372204d5872439925e4ece60da536cb78e47179fafee

memory/612-823-0x0000000000B60000-0x0000000000BE0000-memory.dmp

memory/1648-824-0x0000000000970000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db698465e83ab883df0f34222b62269b
SHA1 607c4127d5895c66c4be263b02c7e67cd77b834e
SHA256 a12f9207d78f9288909bd8a5bb94f12c6d20d726e6e50c738032656c67e45ed7
SHA512 8202075a4e75d0d9feb97ca5b4170ad8f6673066fb0b29911d9ef14399418a9f82c98d8d1593cac307319e82cace2847abaa8fb0ab64e1cb7eb4de88061eac22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0868d56f1a3909e4729ccb4697f2d57b
SHA1 42bbcf584ebefd7f30a9bfdadf5f2186cba41a7f
SHA256 00fc5762aa50d64608f2dd40d6824d2976b3f6b425c69f67e75ec88c95528174
SHA512 09a08841d1ff5f01debca734cc4c3d4d00bda2f91c27b045ca0379834d10ae1b1d9a791fd6076b694ed497ae8064518670fd220eba60477d46cdc0cc528ba399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b15aaa00f2d2434c87a7b677b5839da
SHA1 acf10ad32bab8163e5b7aada13d28490b9124eff
SHA256 6d4cfadcdc33d74ab20fd8a7db348d9272576e53afeee93d46cb7cf9dc47ebd9
SHA512 632a55fdffd6c38638da410dec303a35878f1197e94e3a75bc3cdfc292750927feb7c0148d821f62cb5e1f798e3c8892b81696f4eb19f5761ea3dfe3262b315e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4c4e583d737c4ae976a42110a164bb8
SHA1 57d53951dd1a5bfa1b14feaf136c8ecedce2b880
SHA256 4aeee85b772ae31395af3e4ea7a69ab8ee9b9d8a18c16c529040ec2455796749
SHA512 4646cae4a30e7cca145b8ca11fce8c2bdfcc21cda0ab3cc7ed2555502cd3f834f14c8309a144d5402272017cb64bcd7d0d37d7fe1b41eade50943d63f68a0627

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 955fe0743b38bf8b73a184a7fdf4b2a9
SHA1 2c376fd95e831039e2e09c136e10298dfd1b68c6
SHA256 7ac907c4688cb83975818ed8e0161c7564dab712b288161ee97868467f901518
SHA512 31aa7da25a5b98806f7a959d2e704e385b9a3d34243f1411fcfd4b073b3bec02b4b5dbce68a9a462758be762d08f94e63cf3975e4aba8f1c225b4779f21b77ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15d0e6a35a964ce462c642f9de6e7fd0
SHA1 15ba8a752eee007b6b718c48ac4d7b41ecf0e6de
SHA256 938835b6bad33177b36bdecc30f46758df0613181e0ebf27d08331aa97238753
SHA512 eac741a307779e13ece4bd004e906d2d81a6acf6650af9d43ab1ef1180752cf534a2d3579f846e140f18ce1d0e5861856c5a290d7d612b5e9071d3ef5e16874c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 056e25a15ea52913f38fadb67b137e21
SHA1 6e83d1b40edd23e945f8058ad42adfd75eca330d
SHA256 bcefb6396e04721129ed7b7b695a118acb1e4df768fdb2389b32672360c74050
SHA512 bf2ae29080e40bb640096a22ec725652e1fbdfbd742820abdf6904f2dc62a2561a65b543703eef3a9ce97186e895516df2cfddbbc06b23c9540ff7b75a28bf2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f334820275e8ccf48c324000e9507a40
SHA1 ee05ffa88caf74d51b3439c332b467975174f8ad
SHA256 81c74bbbaac19148a142e058677d2c692d66b7f016483e2a35a5442a16e2aec8
SHA512 478bdcee1e6dd91a6787037833b831c28dfab0fac299db1dd948449f9b974c624fc805df43f3d5cf147d325b1da2045cd6dc163a6c362a2efc8ba980d6faa930

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be4fbd3218491dedeb445457d1701697
SHA1 7ddb7fa48fcd9892acca5d9a54302096888f05b1
SHA256 4666cec8bd72269ae163ad90d9fb4a41f5c8dc03c8334905ecfb4261d80febbb
SHA512 ea7d94bf6d5958676aa84fa0b563907e1b42b4769195c7b8a9dcb476cd95a3dab4c4e263a0903b2dab52381a38d72ed3f6abf53260a3b74ab9c59af984ce24cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dae079a3e67e8543b8e9de6623d3b37f
SHA1 278fb4df575763744dbb3ebe7c3ea35aded4b960
SHA256 8d04dc98a458c5251f74e02c3046f3f032660e30c91535b8b65e370b78da1b33
SHA512 2e6063053c9621f372dc9506d402c1bc043dcfa795cbd8e0f7f02e18a3741f15e794b4f89edb5e118aaf6235f4113fe6c94791f6a4bc0cac27cd0b0a9c1aba03

memory/1648-1255-0x0000000000970000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\C2GJ8YZR\chikiporn[1].xml

MD5 59c502133813ee6a3282cb7fbedcc968
SHA1 4c21d552f042f6e41f6e93b4e507aeadc25a0cfb
SHA256 0bb0a99b6b9b563eb1fdd158c8f407c73c5108b968f4db2c3c0279ae15ea113d
SHA512 4ae0344b56a469e450c67c17658d9b536a6da4989d9ff7c27a4efe682f3d40197079474ab2c072942f0088b80155812b940a45e716d1840a825f0d209fe37528

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EOI09ZFO.txt

MD5 3b5ee34f0c97c5bd98756d9e86f4b43f
SHA1 f1df41df17826e30f2200de7c50149ce17ac2f88
SHA256 3f116cd2df73268a39356e489e2742e556ef23fea9486ac2d743848d297ccacc
SHA512 b90b8032ceca075ce628495933063cda5c93ad9c9585d05b679eaf44ae86de5bbfcb56864ccb3062f4925315d8c3f8c9e44de0158dc7953c5aecd17679252b97

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee