Malware Analysis Report

2024-11-13 19:39

Sample ID 230411-w2zvxafh41
Target FL1.exe
SHA256 5531490b3951e8793cb6ee449f75d6fb0b5c1347d1197ccda7ff1b9b15cf9661
Tags
gcleaner socelars evasion loader persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5531490b3951e8793cb6ee449f75d6fb0b5c1347d1197ccda7ff1b9b15cf9661

Threat Level: Known bad

The file FL1.exe was found to be: Known bad.

Malicious Activity Summary

gcleaner socelars evasion loader persistence spyware stealer

GCleaner

Socelars payload

Socelars

Checks for common network interception software

Drops file in Drivers directory

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-11 18:25

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-11 18:25

Reported

2023-04-11 18:30

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FL1.exe"

Signatures

GCleaner

loader gcleaner

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Febinyjyzho.exe\"" C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\Uninstall Information\HOWETMBDRI\poweroff.exe C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe N/A
File created C:\Program Files (x86)\Google\Febinyjyzho.exe C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe N/A
File created C:\Program Files (x86)\Google\Febinyjyzho.exe.config C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257113267549625" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp
PID 3152 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp
PID 3152 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp
PID 1836 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe
PID 1836 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe
PID 2992 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe
PID 2992 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe
PID 4652 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe C:\Windows\System32\cmd.exe
PID 4652 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe C:\Windows\System32\cmd.exe
PID 4372 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe
PID 4372 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe
PID 4372 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe
PID 4652 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe C:\Windows\System32\cmd.exe
PID 4652 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe C:\Windows\System32\cmd.exe
PID 3816 wrote to memory of 224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\n0dd5ims.3zb\ss29.exe
PID 3816 wrote to memory of 224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\n0dd5ims.3zb\ss29.exe
PID 4652 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe C:\Windows\System32\cmd.exe
PID 4652 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe C:\Windows\System32\cmd.exe
PID 3000 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe
PID 3000 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe
PID 3000 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe
PID 564 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4084 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4084 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 5004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 5004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4628 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4216 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4216 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FL1.exe

"C:\Users\Admin\AppData\Local\Temp\FL1.exe"

C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp" /SL5="$80032,140518,56832,C:\Users\Admin\AppData\Local\Temp\FL1.exe"

C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe

"C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe" /S /UID=flabs1

C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe

"C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe /mixfive & exit

C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe

C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe /mixfive

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 452

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n0dd5ims.3zb\ss29.exe & exit

C:\Users\Admin\AppData\Local\Temp\n0dd5ims.3zb\ss29.exe

C:\Users\Admin\AppData\Local\Temp\n0dd5ims.3zb\ss29.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe & exit

C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe

C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 764

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1356

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd77b69758,0x7ffd77b69768,0x7ffd77b69778

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4628 -ip 4628

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "gcleaner.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1388

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3172 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3308 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3848 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4748 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1812,i,3434923130505002034,10842569299676531715,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 link.storjshare.io udp
US 185.244.226.4:80 link.storjshare.io tcp
US 8.8.8.8:53 4.226.244.185.in-addr.arpa udp
US 185.244.226.4:80 link.storjshare.io tcp
US 8.8.8.8:53 38.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 n8w5.c12.e2-1.dev udp
US 8.8.8.8:53 s3.eu-central-2.wasabisys.com udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 154.49.215.100:443 s3.eu-central-2.wasabisys.com tcp
DE 154.49.215.100:443 s3.eu-central-2.wasabisys.com tcp
DE 52.219.170.106:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 360devtracking.com udp
GB 37.230.138.66:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 123.138.230.37.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 100.215.49.154.in-addr.arpa udp
US 8.8.8.8:53 106.170.219.52.in-addr.arpa udp
US 8.8.8.8:53 66.138.230.37.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
GB 37.230.138.66:80 360devtracking.com tcp
NL 45.12.253.74:80 45.12.253.74 tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 htagzdownload.pw udp
US 104.155.138.21:80 htagzdownload.pw tcp
US 8.8.8.8:53 74.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 ji.uiasehgii.com udp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
US 172.67.220.217:80 ji.uiasehgii.com tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 217.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.ddtools.top udp
US 188.114.96.0:80 www.ddtools.top tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 bz.bbbeioaag.com udp
HK 103.100.211.218:80 bz.bbbeioaag.com tcp
US 8.8.8.8:53 www.countlist.top udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 www.ippfinfo.top udp
DE 178.18.252.110:443 www.ippfinfo.top tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
US 104.155.138.21:80 htagzdownload.pw tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 110.252.18.178.in-addr.arpa udp
US 8.8.8.8:53 68.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 208.48.246.47.in-addr.arpa udp
US 8.8.8.8:53 234.95.206.23.in-addr.arpa udp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 56.253.12.45.in-addr.arpa udp
US 104.155.138.21:80 htagzdownload.pw tcp
US 8.8.8.8:53 www.facebook.com udp
DE 157.240.20.35:443 www.facebook.com tcp
US 8.8.8.8:53 count.iiagjaggg.com udp
HK 154.221.31.191:80 count.iiagjaggg.com tcp
US 8.8.8.8:53 35.20.240.157.in-addr.arpa udp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 191.31.221.154.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 hyhjuer.s3.eu-west-3.amazonaws.com udp
FR 16.12.20.2:443 hyhjuer.s3.eu-west-3.amazonaws.com tcp
US 8.8.8.8:53 m.facebook.com udp
US 157.240.5.35:443 m.facebook.com tcp
US 8.8.8.8:53 www.bjsntiyan.com udp
US 188.114.96.0:80 www.bjsntiyan.com tcp
US 157.240.5.35:443 m.facebook.com udp
US 8.8.8.8:53 secure.facebook.com udp
US 8.8.8.8:53 2.20.12.16.in-addr.arpa udp
US 8.8.8.8:53 35.5.240.157.in-addr.arpa udp
US 157.240.5.21:443 secure.facebook.com tcp
DE 157.240.20.35:443 www.facebook.com tcp
US 8.8.8.8:53 apis.google.com udp
NL 172.217.168.206:443 apis.google.com tcp
US 8.8.8.8:53 206.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 21.5.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 13.89.179.9:443 tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.server.lan udp
US 104.155.138.21:80 htagzdownload.pw tcp
US 8.8.8.8:53 assets.msn.com udp
DE 104.126.37.40:443 assets.msn.com tcp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 40.37.126.104.in-addr.arpa udp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 104.155.138.21:80 htagzdownload.pw tcp
NL 8.238.177.126:80 tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 104.155.138.21:80 htagzdownload.pw tcp
US 8.8.8.8:53 htagzdownload.pw udp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
US 8.8.8.8:53 67.61.205.35.in-addr.arpa udp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 htagzdownload.pw tcp
BE 35.205.61.67:80 tcp
BE 35.205.61.67:80 tcp
BE 35.205.61.67:80 tcp
BE 35.205.61.67:80 tcp
BE 35.205.61.67:80 tcp

Files

memory/3152-133-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PDI7K.tmp\FL1.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1836-146-0x0000000000660000-0x0000000000661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

C:\Users\Admin\AppData\Local\Temp\is-15N1L.tmp\rt.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

memory/2992-151-0x0000000000910000-0x00000000009A6000-memory.dmp

memory/2992-152-0x000000001B7F0000-0x000000001B800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe

MD5 f32b8def722876287f9424f3f3c41d2e
SHA1 1f4d70acbafd6ca395baea692300dc26bbc6319a
SHA256 2ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512 f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3

C:\Users\Admin\AppData\Local\Temp\66-b3005-f3a-e9595-1f0bf91b4afee\Febinyjyzho.exe

MD5 8d30b735e4b1862f684f945330704036
SHA1 80e71f2963ab68b80aee5684cf6e4ddf92ebc0d8
SHA256 698e12fcf9a168744ac562ff9cd94387bfb17ee98ba1b6f114a3063bb03a366a
SHA512 aacb7f8f31b664a19c0a2c513075ddec59d38dabe9c2fea77ed25f50464967b2eb63227372a927f46288b6f2c58e1048369f2a2c929e9f9f48e6460fc01bfbeb

C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe

MD5 f32b8def722876287f9424f3f3c41d2e
SHA1 1f4d70acbafd6ca395baea692300dc26bbc6319a
SHA256 2ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512 f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3

C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Febinyjyzho.exe

MD5 f32b8def722876287f9424f3f3c41d2e
SHA1 1f4d70acbafd6ca395baea692300dc26bbc6319a
SHA256 2ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512 f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3

memory/1836-183-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3152-185-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4652-186-0x0000000000190000-0x0000000000214000-memory.dmp

memory/4652-187-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/4652-188-0x000000001B530000-0x000000001B9FE000-memory.dmp

memory/4652-189-0x000000001BAA0000-0x000000001BB3C000-memory.dmp

memory/4652-190-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

memory/4652-191-0x000000001D7D0000-0x000000001D82E000-memory.dmp

memory/4652-192-0x000000001F370000-0x000000001F67E000-memory.dmp

memory/4652-193-0x0000000000C70000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21-efd5f-7a7-73693-03f2559e289e8\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/4652-195-0x0000000020280000-0x00000000202E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe

MD5 428b3dc26ec47b5e95ce88a160e5b014
SHA1 42477ad6f7e1b5e34dcf5d2110417c1f149a21be
SHA256 666674fc3825dd13f8e344aca0be295432942bed88824ed53b3fe741b6ac9d34
SHA512 bf4c7de7ea82221b361ab837e2534495ef9070089f6f931bf4382c5c97fb9e4d178b6cd90729c44d3fc29b48da1781d857c0c7d6b09333cbacac82c5d9ae5c6d

C:\Users\Admin\AppData\Local\Temp\ztaxd3l0.irn\gcleaner.exe

MD5 428b3dc26ec47b5e95ce88a160e5b014
SHA1 42477ad6f7e1b5e34dcf5d2110417c1f149a21be
SHA256 666674fc3825dd13f8e344aca0be295432942bed88824ed53b3fe741b6ac9d34
SHA512 bf4c7de7ea82221b361ab837e2534495ef9070089f6f931bf4382c5c97fb9e4d178b6cd90729c44d3fc29b48da1781d857c0c7d6b09333cbacac82c5d9ae5c6d

memory/4628-201-0x0000000002100000-0x0000000002140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n0dd5ims.3zb\ss29.exe

MD5 63ae1766b0a64526ce9632e80c5479c7
SHA1 977173a75f4548b3144727e77215acf0cde00076
SHA256 a71c89ea8765c1adde69ae4e490e92acad56823242ad5545e9f20f48db100406
SHA512 7648f6e3d6ca86cb0e6bc8b1a80cbc82d38cac0ec937a1d807d562de1ad3197b89218ad7a96597f71927b6ed58e2f329eb32e7b28ec402503b35d275907839df

C:\Users\Admin\AppData\Local\Temp\n0dd5ims.3zb\ss29.exe

MD5 63ae1766b0a64526ce9632e80c5479c7
SHA1 977173a75f4548b3144727e77215acf0cde00076
SHA256 a71c89ea8765c1adde69ae4e490e92acad56823242ad5545e9f20f48db100406
SHA512 7648f6e3d6ca86cb0e6bc8b1a80cbc82d38cac0ec937a1d807d562de1ad3197b89218ad7a96597f71927b6ed58e2f329eb32e7b28ec402503b35d275907839df

C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe

MD5 24003f19b479274adb1c359b604c502e
SHA1 679205cb4b1aceb72ea99f12d5feb0c2e9b797af
SHA256 1c7b33e30e68eee4b9e371d293dc1313acb070d3a108768f410322d752d332e9
SHA512 084be6fe0061084f1ac1273182d0c644c1f9fe590e0c7e238bafb5298e637fcc36eaad7205758a1477d8c80021489d82d7351972c02b2a8a2cf17d974b3ae9f5

C:\Users\Admin\AppData\Local\Temp\ccrhcqyy.o4i\handdiy_3.exe

MD5 24003f19b479274adb1c359b604c502e
SHA1 679205cb4b1aceb72ea99f12d5feb0c2e9b797af
SHA256 1c7b33e30e68eee4b9e371d293dc1313acb070d3a108768f410322d752d332e9
SHA512 084be6fe0061084f1ac1273182d0c644c1f9fe590e0c7e238bafb5298e637fcc36eaad7205758a1477d8c80021489d82d7351972c02b2a8a2cf17d974b3ae9f5

memory/224-221-0x0000000002F30000-0x000000000309D000-memory.dmp

memory/224-222-0x00000000030A0000-0x00000000031CD000-memory.dmp

memory/4652-223-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/4652-237-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/4628-239-0x0000000000400000-0x00000000004B6000-memory.dmp

\??\pipe\crashpad_1640_KDQHTFVURQCWBCQR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2bd089522b71dd2e6569cf4dbd69b222
SHA1 a2b4409d48376f611aa238341e60f4a19f9625f6
SHA256 147f6798ad4cbc68c2404f343db9a3cd4140c3a503233d9c5bf92be4500c6009
SHA512 359037169c91a500df98a13aae3194d1685ba503e6d9545d7473574cb38265821bb364f45b7138c1b81e087e73c8aca8b17837e6510a575571eb78735845152c

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

MD5 05bfb082915ee2b59a7f32fa3cc79432
SHA1 c1acd799ae271bcdde50f30082d25af31c1208c3
SHA256 04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1
SHA512 6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

MD5 362695f3dd9c02c83039898198484188
SHA1 85dcacc66a106feca7a94a42fc43e08c806a0322
SHA256 40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca
SHA512 a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

MD5 c31f14d9b1b840e4b9c851cbe843fc8f
SHA1 205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4
SHA256 03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54
SHA512 2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

MD5 f22f81a9d64ea7b3e2aa8da79d8ea8a5
SHA1 44a5a864529dbe2b9160fce6d424191376cd99a0
SHA256 185ef24757a2b4e6bc4b36154ca2d55457c9dafe41aa98739715607564e1f5d1
SHA512 f4321005e518a092f2d2a33e8d77243e7d5ea8d44e86cf543723211079b1bd377d432d730bbea03b85cb33ca6b3a4869eba26acde56da4d75fa77b108a1be4db

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

memory/224-279-0x00000000030A0000-0x00000000031CD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 597a81cfe4f92a8b453c2e4dc778c59d
SHA1 9cbfb0c6733deff3b3a8e7a670b84b768ca56b2f
SHA256 cbf4b955da132bb7caee62268083e81f42bbd6dc9db868cac1bcbbfd9bf1d20a
SHA512 3623af4a0c86010c2618b8252f8a1a949ba71d810565221db625155d515380b7c1f351373097e693d258c51153f4b3056fa672cc27af0a240a6fbb689e0cb712

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2dbde3b1-639e-42d1-8f24-40061d887b5d.tmp

MD5 50946888df1f28e14cbd7501be8b3640
SHA1 20f08ff5e25de15c6b2c859b58086f5094bbd471
SHA256 a164bb0407892cfaf0c338fdc6b0444ecaecf26c62a6ae0550bf7ecf5c1b5547
SHA512 893c1dd7b8b5f4f2fcbdfcb1030dc5c162cdb326aad6186cb35bb602eaac7697052c13ddba9c1a5cf6f61146cc58945b6515d933f6a109254f81509d27af1201

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8aaed40bc12d5335b07815e337b20ac2
SHA1 cd03f077bd7948612631d778810c081fcc7bd994
SHA256 60036ac374f070dca2969b136b654b4e9a8300daac70fb48dc85dd40c353f27d
SHA512 4538444f98235d90f0eb1d96a9f315a1ccf010abcaa2e044e57493e034f26addaaa070ff394822dc0f3399cfb369b1577deadd4eb48604daf481cc2f6218713a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 dc2cb5816288f53a1fe1dee75b680fcf
SHA1 f7b67bdb00802165b320bdd95130fe87688489b5
SHA256 a8f7b3e5d52fad8dd91a0e9c66a79208d67b2a518cf7a754b5141e133e671e38
SHA512 32386f87f5bcd6da68b62fef6eac070a0017bbb80d306a06901d11610bd225409a5632bee8515cc28de478bd8651227d017a88c07e1a84651cdef94ea24d049a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 587b0bed124504a76aadf366b992549d
SHA1 203baa7246deb860f078c3891041cef767e27562
SHA256 6a8fac04387026e28c7135b2817eee069fad36420658ee3fe8df628ce3c564f2
SHA512 e5ee3a067c5791781a013eae4754125962a432cb0ffd8dc04ca37bb26ba48b439557a02984e33b317c542bca580f41d9b60f2fb70200cec4807eb50923272719

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 692ca4592e857fdbf8c317b1015d1ff5
SHA1 c9354b8a42e740dfa64a8ca0ab9f647686c11620
SHA256 52146cc72b62d451527582f3c76a80aa877047baff067f95a8228e6cb48744ef
SHA512 c9d1644d0eec816be8f40ad36aaddff362e1138223c5adc34a4e31621d83b9d574837596057c64cd772586aed84a1c4d68e728860dd3526e487fdfc049735ee0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b0417f1242d7ca623b1ab4a22a4fe308
SHA1 82e32cea4d47418d8f6ae34b876d91a022c29986
SHA256 02d4ea9185bfe2d8330c9eb2f2850d0bb5fc797ba327907aaaff9d669ccbd6be
SHA512 893a62fbcca00a884b63be4e70771c94badbfe7a6ad23db8f87cb9f9f59427097622b405bca22581bef28f670b7a42289a18b736a065a7530cf4db4e83d032eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-11 18:25

Reported

2023-04-11 18:30

Platform

win7-20230220-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FL1.exe"

Signatures

GCleaner

loader gcleaner

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Gakaemafiba.exe\"" C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Gakaemafiba.exe C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\Common Files\PZLWVPEDOM\poweroff.exe C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
File created C:\Program Files (x86)\Common Files\Gakaemafiba.exe.config C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ea0f43b46cd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a00000000020000000000106600000001000020000000d4fb61eba4eadb69bf745465204261c5eaa4988d56bbc94d0b4ad6ea1fe7f209000000000e80000000020000200000009334393524d90a879808fae6958ba08e77050440078461e59b445250af999aa39000000004f3a3a3f7dda79807443020dbab2cd0c894a31851b019afcf29734505729b88276ccca154ababd517b36d92f690bd273083457aefe6c74642469a4faa6082adb714947b50279faf76a63c7884fa7ee9ceebc11268e15b64953cd1490ce44c8c34b6fb7498789f852688d9a2f814027bb7f16ca630a1d9849d45ef98a6ef5819c9f989deb3f221e0db684016c290fed4400000008209170a8f4f967b9411de9822127e3ef92b66eaf49aa42fbc6530fe8878d84f3a4331bc664e73f2a997e6f6f90e76182902789152771460ed4a3fe8daccb026 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a000000000200000000001066000000010000200000004f66837caf5c424444a657a8b2d2dae8901019f86bdb32bc7feeb4d1f4c23f35000000000e8000000002000020000000ccefceef8e2a2ff543a01967906656773ad0a78a5d9bbaa118f51fb4eecb84c62000000061585a53d00fbbff18f5b97708f4fbd64131c1bafde04226374230bbe16961f6400000003129dd406eed2644522fb3511a0760ec655e28e0eccb3f9e8c33b58c2c51e8458dc5e9b28e816458db1bbb9cc7fa5bc9a731ea71c6a7035ae506fd77a783d812 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C9C73A1-D8A7-11ED-ADAF-EE84389A6D8F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp
PID 1324 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp
PID 1324 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp
PID 1324 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp
PID 1324 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp
PID 1324 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp
PID 1324 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FL1.exe C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp
PID 1124 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe
PID 1124 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe
PID 1124 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe
PID 1124 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe
PID 336 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe
PID 336 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe
PID 336 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe
PID 336 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe C:\Windows\System32\cmd.exe
PID 336 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe C:\Windows\System32\cmd.exe
PID 336 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe C:\Windows\System32\cmd.exe
PID 2044 wrote to memory of 1368 N/A C:\Windows\System32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2044 wrote to memory of 1368 N/A C:\Windows\System32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2044 wrote to memory of 1368 N/A C:\Windows\System32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1368 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1368 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1368 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1368 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1720 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 2288 wrote to memory of 2336 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe
PID 2288 wrote to memory of 2336 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe
PID 2288 wrote to memory of 2336 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe
PID 2288 wrote to memory of 2336 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe
PID 1720 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 2476 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe
PID 2476 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe
PID 2476 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe
PID 1720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe
PID 2580 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe
PID 2580 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe
PID 2580 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe
PID 2336 wrote to memory of 2652 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2652 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2652 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2652 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2652 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2652 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2652 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2604 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2148 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2148 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2148 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2604 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2604 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2604 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2604 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FL1.exe

"C:\Users\Admin\AppData\Local\Temp\FL1.exe"

C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp" /SL5="$90126,140518,56832,C:\Users\Admin\AppData\Local\Temp\FL1.exe"

C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe

"C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe" /S /UID=flabs1

C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe

"C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1QFDX4

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/1QFDX4

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe /mixfive & exit

C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe

C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe /mixfive

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe & exit

C:\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe

C:\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe & exit

C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe

C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "gcleaner.exe" /f

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ad9758,0x7fef6ad9768,0x7fef6ad9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2240 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2652 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1472 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1380 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4316 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1312,i,2011241818340968677,7865147770743517501,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 link.storjshare.io udp
US 185.244.226.4:80 link.storjshare.io tcp
US 185.244.226.4:80 link.storjshare.io tcp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
US 8.8.8.8:53 s3.eu-central-2.wasabisys.com udp
US 8.8.8.8:53 s3.eu-central-2.wasabisys.com udp
US 8.8.8.8:53 n8w5.c12.e2-1.dev udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 154.49.215.103:443 s3.eu-central-2.wasabisys.com tcp
DE 154.49.215.100:443 s3.eu-central-2.wasabisys.com tcp
DE 3.5.138.116:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 360devtracking.com udp
GB 37.230.138.66:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 connectini.net udp
GB 37.230.138.123:443 connectini.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
GB 37.230.138.66:80 360devtracking.com tcp
NL 45.12.253.74:80 45.12.253.74 tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 htagzdownload.pw udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 8.8.8.8:53 ji.uiasehgii.com udp
US 104.21.24.217:80 ji.uiasehgii.com tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 8.8.8.8:53 bz.bbbeioaag.com udp
US 8.8.8.8:53 www.ddtools.top udp
HK 103.100.211.218:80 bz.bbbeioaag.com tcp
US 188.114.96.0:80 www.ddtools.top tcp
US 8.8.8.8:53 www.countlist.top udp
US 8.8.8.8:53 www.ippfinfo.top udp
DE 178.18.252.110:443 www.ippfinfo.top tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
NL 45.12.253.56:80 45.12.253.56 tcp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
US 104.154.244.244:80 htagzdownload.pw tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 104.154.244.244:80 htagzdownload.pw tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 hyhjuer.s3.eu-west-3.amazonaws.com udp
US 8.8.8.8:53 m.facebook.com udp
FR 52.95.156.40:443 hyhjuer.s3.eu-west-3.amazonaws.com tcp
US 157.240.5.35:443 m.facebook.com tcp
US 8.8.8.8:53 www.facebook.com udp
DE 157.240.252.35:443 www.facebook.com tcp
US 188.114.96.0:80 www.bjsntiyan.com tcp
US 8.8.8.8:53 m.facebook.com udp
US 157.240.5.35:443 m.facebook.com udp
US 8.8.8.8:53 secure.facebook.com udp
US 157.240.5.21:443 secure.facebook.com tcp
US 8.8.8.8:53 count.iiagjaggg.com udp
US 104.154.244.244:80 htagzdownload.pw tcp
US 8.8.8.8:53 www.facebook.com udp
DE 157.240.252.35:443 www.facebook.com tcp
HK 154.221.31.191:80 count.iiagjaggg.com tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 8.8.8.8:53 clients2.server.lan udp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 accounts.server.lan udp
US 8.8.8.8:53 apis.google.com udp
NL 172.217.168.206:443 apis.google.com tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
N/A 224.0.0.251:5353 udp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp
US 104.154.244.244:80 htagzdownload.pw tcp

Files

memory/1324-54-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

C:\Users\Admin\AppData\Local\Temp\is-MUIV2.tmp\FL1.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1124-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

C:\Users\Admin\AppData\Local\Temp\is-D3ECL.tmp\rt.exe

MD5 f6c312d7bc53140df83864221e8ebee1
SHA1 da7ad1f5fa18bf00c3352cb510554b061bbfe04f
SHA256 e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db
SHA512 38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

memory/336-77-0x0000000000020000-0x00000000000B6000-memory.dmp

memory/336-78-0x0000000000230000-0x000000000029A000-memory.dmp

memory/336-79-0x0000000001E60000-0x0000000001EBE000-memory.dmp

memory/336-80-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/1124-89-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1324-88-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe

MD5 f32b8def722876287f9424f3f3c41d2e
SHA1 1f4d70acbafd6ca395baea692300dc26bbc6319a
SHA256 2ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512 f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3

C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/1720-124-0x0000000000980000-0x0000000000A04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Gakaemafiba.exe

MD5 f32b8def722876287f9424f3f3c41d2e
SHA1 1f4d70acbafd6ca395baea692300dc26bbc6319a
SHA256 2ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512 f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3

C:\Users\Admin\AppData\Local\Temp\Tar3C7C.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4577313559a1511cd6c38ee478aab57c
SHA1 2dfa1fc535327f7c2ee34b9fb588cef44240f39a
SHA256 69ca3b7a01f3543d55ea5c9c8725fcf1b5a6a5d21be00bae5a11a4fdc48d717b
SHA512 3e02f3bf23ccfc980ece65220a8dbd47e5d361f777bbe4ab1cfdb5f075c37dff670e07dc3eb397cbedfd9184f6e0c8bd2bce77cb8bc5ca3db264e50f11d78eb9

memory/1720-220-0x0000000001FE0000-0x0000000002060000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8703a8edcbbeb3d9ca7d136abfce598c
SHA1 a7610ddcb5e9bd7ad046a7bdea0cd7e1607f54ae
SHA256 10dcc4f1f1c7adcd62eeb28639f530365f5da6f4343c44dd8f752be24911f22e
SHA512 07d437262890733d982586e4b019ed911a3db2eff6dc764dba2f2952250f9941c0a0d5cf478c80894c31c4ee7b1663a2a39f2ab9873f4cc096f6febc164b6678

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 922e05ab97a874353b7bdf83fa59c3d7
SHA1 f98f3b7bc9778da7e6cc5c21ffff6b2b8f81557d
SHA256 cc4085fef3ebf39e4ee1a7246f498aa054432db485c082b7f9aa580a527af545
SHA512 69dba95405eb1af17897d8cd3236942c5ba651c52a95c55fb97d925851b2c74e1744bf0eb0c7c982ff3e3bb2145e0f68f00008c3b6aaf427c9486460119979d4

C:\Users\Admin\AppData\Local\Temp\fb-1ce6c-eab-99286-b3d86ebcd4c39\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/1720-277-0x0000000001FE0000-0x0000000002060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe

MD5 428b3dc26ec47b5e95ce88a160e5b014
SHA1 42477ad6f7e1b5e34dcf5d2110417c1f149a21be
SHA256 666674fc3825dd13f8e344aca0be295432942bed88824ed53b3fe741b6ac9d34
SHA512 bf4c7de7ea82221b361ab837e2534495ef9070089f6f931bf4382c5c97fb9e4d178b6cd90729c44d3fc29b48da1781d857c0c7d6b09333cbacac82c5d9ae5c6d

C:\Users\Admin\AppData\Local\Temp\1iyczcf4.zdx\gcleaner.exe

MD5 428b3dc26ec47b5e95ce88a160e5b014
SHA1 42477ad6f7e1b5e34dcf5d2110417c1f149a21be
SHA256 666674fc3825dd13f8e344aca0be295432942bed88824ed53b3fe741b6ac9d34
SHA512 bf4c7de7ea82221b361ab837e2534495ef9070089f6f931bf4382c5c97fb9e4d178b6cd90729c44d3fc29b48da1781d857c0c7d6b09333cbacac82c5d9ae5c6d

memory/2336-284-0x0000000000220000-0x0000000000260000-memory.dmp

\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe

MD5 63ae1766b0a64526ce9632e80c5479c7
SHA1 977173a75f4548b3144727e77215acf0cde00076
SHA256 a71c89ea8765c1adde69ae4e490e92acad56823242ad5545e9f20f48db100406
SHA512 7648f6e3d6ca86cb0e6bc8b1a80cbc82d38cac0ec937a1d807d562de1ad3197b89218ad7a96597f71927b6ed58e2f329eb32e7b28ec402503b35d275907839df

C:\Users\Admin\AppData\Local\Temp\ockeevvj.knf\ss29.exe

MD5 63ae1766b0a64526ce9632e80c5479c7
SHA1 977173a75f4548b3144727e77215acf0cde00076
SHA256 a71c89ea8765c1adde69ae4e490e92acad56823242ad5545e9f20f48db100406
SHA512 7648f6e3d6ca86cb0e6bc8b1a80cbc82d38cac0ec937a1d807d562de1ad3197b89218ad7a96597f71927b6ed58e2f329eb32e7b28ec402503b35d275907839df

C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe

MD5 24003f19b479274adb1c359b604c502e
SHA1 679205cb4b1aceb72ea99f12d5feb0c2e9b797af
SHA256 1c7b33e30e68eee4b9e371d293dc1313acb070d3a108768f410322d752d332e9
SHA512 084be6fe0061084f1ac1273182d0c644c1f9fe590e0c7e238bafb5298e637fcc36eaad7205758a1477d8c80021489d82d7351972c02b2a8a2cf17d974b3ae9f5

C:\Users\Admin\AppData\Local\Temp\jctgq0m3.mtp\handdiy_3.exe

MD5 24003f19b479274adb1c359b604c502e
SHA1 679205cb4b1aceb72ea99f12d5feb0c2e9b797af
SHA256 1c7b33e30e68eee4b9e371d293dc1313acb070d3a108768f410322d752d332e9
SHA512 084be6fe0061084f1ac1273182d0c644c1f9fe590e0c7e238bafb5298e637fcc36eaad7205758a1477d8c80021489d82d7351972c02b2a8a2cf17d974b3ae9f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 936b8a94e022d05433a3b9f55bd542dd
SHA1 9ed76f13bc7cf77e9bdfee9e52aca256ddc122ca
SHA256 bbf5ac1e9c87cdf6a5e327caa8522b95d2df350bac543f4466e5d938bf548eeb
SHA512 c15a09e483bd537d325b4bfadf1f8afb2e5913290f2f10fefbcabe90b19e2e1ed199963b088fa8a91fc57b5bc836d0f202cd0ecb086026c380fa97c27ef888a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca7be6fea7d549dfa2a4ce2bbdc190c3
SHA1 395d5f1147efb04d21330fee171a7ca8384f7ef5
SHA256 e2acd6486d852dc31c47482c080ad622857032fc646d912f37a882a942657429
SHA512 47c27671d7a321fefde33a9b7f52acec0461169e8078451d2bc82b406cc18f83f8c64647bddf89110e7bac807521fb7a8e6a9a833e3153c3a3990c0853c299b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca7be6fea7d549dfa2a4ce2bbdc190c3
SHA1 395d5f1147efb04d21330fee171a7ca8384f7ef5
SHA256 e2acd6486d852dc31c47482c080ad622857032fc646d912f37a882a942657429
SHA512 47c27671d7a321fefde33a9b7f52acec0461169e8078451d2bc82b406cc18f83f8c64647bddf89110e7bac807521fb7a8e6a9a833e3153c3a3990c0853c299b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f77b7143a4b1be5579229d5c4a9bb26
SHA1 c235e4f39cd7d0b5c0f5d42bec8d75839844cdbf
SHA256 291f003bfa51844337d117368cbff0b256f233a23e0f5b8d142a32bce335fbe7
SHA512 e269b53ed11ff7c4a0f01ae21403d8fe8172906e3098b3d832dba5960618be08688f31dbfcff5061a364a691399fb51cc1b5be47835e110b9bd0b5639b600028

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 153bd8fe25b054431f47b368fc4ff938
SHA1 7f6366297ea3e38e990ed903af11d12f2bab1038
SHA256 e58513117362c01ad7018e97446b2efa47ae0e27d837ddf0a0bb218275f7a899
SHA512 7cfa2f5f18fbfff2553f1188af28b671c66f3aa53bf023c16dc07d17961d34f9e4ab9f848fdc4bed4bb51386adc3d4fde9897875fcf78f9197851fce7f8fa94c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f5c64a207e263a18b1dafcbc7887625
SHA1 88cf1a5a9d0dfbbaea8bd128517f7a2f0629c949
SHA256 47df2d435dab6c44c1c41590cbe110ac459d76f777673580631d199e5a4108bd
SHA512 eba3b1bc1576a016b3f27194bb8763fb0f713c6b44cbf1e37fc519806ae7743398109b584ae2a7c5753abdee1c4bf8484a960f4cb988c6364ba9099ec1d4147c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfffd019d0e255a212109a39c5db0256
SHA1 a45081333c4fb7b4a9f37a62b45f1aafa6da318c
SHA256 f2223d9f689f761a3d5175440c574a964a806281ea89fc570a027942cfe29072
SHA512 789d5d924df5acd317b22d1cfd2ef16d5cea5639a70908af2a6ae25ef31ffa708d9f3309babb46f4529bde293e88fbbf651891bf7943c80773de41dcd41ec961

memory/2336-504-0x0000000000400000-0x00000000004B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59a302047937526f2ae6166c7d1d9e97
SHA1 6f550c5653a91bc3a2e1e996b12b54e6b5366031
SHA256 484f5afcd2aa17e4cc2d867886bde720d29bb473f0a3c86552ace4cc59e5640a
SHA512 5e6e83929f0114673fe9c92fc8c249b28716483ac3c62ef83bfeb529520bd54d9abed9cabf3fe806e28f542c7a058358d50adaf7f631403695edb6dfd6bb14ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59a302047937526f2ae6166c7d1d9e97
SHA1 6f550c5653a91bc3a2e1e996b12b54e6b5366031
SHA256 484f5afcd2aa17e4cc2d867886bde720d29bb473f0a3c86552ace4cc59e5640a
SHA512 5e6e83929f0114673fe9c92fc8c249b28716483ac3c62ef83bfeb529520bd54d9abed9cabf3fe806e28f542c7a058358d50adaf7f631403695edb6dfd6bb14ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59a302047937526f2ae6166c7d1d9e97
SHA1 6f550c5653a91bc3a2e1e996b12b54e6b5366031
SHA256 484f5afcd2aa17e4cc2d867886bde720d29bb473f0a3c86552ace4cc59e5640a
SHA512 5e6e83929f0114673fe9c92fc8c249b28716483ac3c62ef83bfeb529520bd54d9abed9cabf3fe806e28f542c7a058358d50adaf7f631403695edb6dfd6bb14ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47362b946710ee1c31f5b26f6876cc83
SHA1 400c74249e4e53839a2b3a0cd5e40e6c9af3b38d
SHA256 e11b8f86bbd881a00d2f9ad21ca2aac4db6755142c438eccd972b586b03ff1b6
SHA512 97dc8363941745a8250d7ee0b0d6ac280eb10c69343e80761fc6d73caf21e2f1f64b5702ebcc4937ef5ff2c4a5b52df348cf0c2413e07664ea50836331eecf67

memory/336-578-0x000000001AFE0000-0x000000001B060000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b234191cf6703cb45ff19d595553ab0
SHA1 0a313c4e828235001969dcbaa3fe4f37fdd1c2bd
SHA256 fdc78007f866046e9a318460766a45449515670cb22434a36188792ac0d0a8e8
SHA512 edc85b1fc51158a38b522c787593e56ce3564961c09782abefa4ec9d5bcff517b433c8cfa526a673740f2247a391a9c62d857251ce01afaa6d52fb2ec2913492

memory/1124-610-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1324-612-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79852ebcb6bda502a7d0924fdc5b1691
SHA1 d97f7cc7499fd8de675c8b86d24999ee61cd7cfa
SHA256 adf35f467536890ffb42cf3fb5836ac3b4abbcd0931e0118644a475dea246194
SHA512 26a8111f6c39ad42573680de6a2a3e4c7eeaefbf17764529ca896f4d82c706935e48bb1bc2eae825c3c07e0adc1673f516a18d81d0a2fcacb64a7802916c40a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a4f4e1cab313f4539800b61bf238e4b
SHA1 4b602408c745877687911f7e4322acd2ac89198d
SHA256 b8e7ff4c37c1556234b59be8a9151666e93fe7c0d619b00073b4bf6176d3c656
SHA512 58edd4f750308a1dadcc2af3edee6845b2e804fe9961ea1d1c7e13edf8e36c924ed07fc91f1fcdc89c2c1f062c996e9c2fff8300a1c7844abc2889ce0522731a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c415a86264a2c061e117a0414ab7f9d5
SHA1 071835cb1645eac551d7b660bfd22274aa6a8761
SHA256 1a779a28a418d8510c9ee5497184b80cddd3a9cf79d63df9704952c8eb247713
SHA512 43fc6567e6a30b8f032d2d8b523eb17efd296aac80dcabab74217fd3d10df782a53acd299cac3b0940c7af416132140eed1ae4d47151db28f196c5454fb41d13

memory/2500-714-0x0000000002A30000-0x0000000002B9D000-memory.dmp

memory/2500-715-0x0000000002BA0000-0x0000000002CCD000-memory.dmp

memory/1720-876-0x0000000001FE0000-0x0000000002060000-memory.dmp

memory/1720-891-0x0000000001FE0000-0x0000000002060000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 76614e25ac2f3d5e809ddf3efbcecc92
SHA1 854f778a84431dcd128d7e5cff91608c363fb475
SHA256 c6a7faa61df54404f32a99fd204e906c2627ee6c91a081a7595b4ce83ac12d6a
SHA512 d69240ca01515a8d4f9669f93f2c01edef87d1a30b0a83df5f6c6f81153c8f2539946717069deee4af19de0becec7f930121f34d7e4b00f1d1ab1f0dee776ca5

\??\pipe\crashpad_2192_GEJSHHJQQYSTBIDZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

MD5 05bfb082915ee2b59a7f32fa3cc79432
SHA1 c1acd799ae271bcdde50f30082d25af31c1208c3
SHA256 04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1
SHA512 6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

MD5 362695f3dd9c02c83039898198484188
SHA1 85dcacc66a106feca7a94a42fc43e08c806a0322
SHA256 40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca
SHA512 a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

MD5 c31f14d9b1b840e4b9c851cbe843fc8f
SHA1 205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4
SHA256 03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54
SHA512 2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

MD5 0db39dcbbe09ca3589a226b52525d5f8
SHA1 7079c349e2328d2e66658cc26771df0a27035d20
SHA256 9f45619c4e51bdb6c50a90a79b40f5a6d49c223710c111040d6f08f1f34a03a9
SHA512 6c437e2b23d29a958b84621750d8c19c7d078ad0e493d843aabfe4d369fca618be5086727cc986cf9799f7109fa0c2514f86ea40db109212c535624109f81c18

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nndannfdnoaiphfcbbpgkhodebpoiocf\CURRENT~RF6c958c.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 709102b0bf887b8493e19b24e3959af9
SHA1 816265064620fb8a4252d8e9f8da1369df44f195
SHA256 2b5040e18ce2d3b7b360b86e9099e587af3bd6a3d8ed6f5b925fac62704b8de6
SHA512 2cc9e4b5784e62590add0c81da6ecfc71d2d7688b2ba17e440690458f5b093a48c5c65d9bfb85c96e792eb54d076643fe536b78737030628e48c1461a5a1b223

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f2f25ef91790e901813c2bf16b00f0a
SHA1 2611349f56d9b9d127d5a7caef3b60b60eaa8730
SHA256 6f918ad010de28c8893aba98036bf8458a03c9fcf601fcef1aad6c2c893b2441
SHA512 63df690f39c260736eb14ee08832f529660afd3e2c37e80f233cb60cea5712355ea8560e16ff93c6db027c8c588792735d08e80a615d7bc89b72c98e72ec8a51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd39ea0f3f8de995a853a617b78a303c
SHA1 5c45af50a4a5041957866dbdd124e801b6d076a6
SHA256 20228ea7b61a7c8972bb4132b236f1990221493373a8c2a8dd13693b37ab8830
SHA512 d4c90a2e58a0ef6c29aa31a2971a6afb29452fcd29e29e3cb55b138bdfd3f7efef96347cfb077bf628566bb3e265a7a007e2917f6977a15cb8d0322ef3e9df32

memory/2500-1025-0x0000000002BA0000-0x0000000002CCD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f54d73fb185244a5a924010317690213
SHA1 a4a279086f2abf91c2f1a0d7e18ac819d244cb36
SHA256 ebd0c0d9de8aaac02d108b0907fc9d24a6cc63c31b6607d47dadcfe28a6201e9
SHA512 6c1b3b5fc50b598bf09f2dd821dba824126c0a5e64e7f7b6a87b3c65e3a3603887b82cc235006ceff8f26223d6482e6a4854fda2c82af56a5fd2dc6a8816ff54

C:\Users\Admin\AppData\Local\Temp\~DFB6711933DB2CED3F.TMP

MD5 72ed9db0780b734ed6af1ed3b685efd8
SHA1 91fa62c03dd8772d90d903351ec9190f82ea8312
SHA256 2e63de84a098dcada6e03ad2aa6919d8961b74be7a55d4a99f056b0a4201112e
SHA512 245ad4a5b48f13bb6ebd7629cbfcb99bf77368b404482552d7757fb1ed6e754883dbf1560144524bc7ce10af78b58623c105d9a40df603364549fa84fd5894e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7ad342f0b458cf1819a1b8ba744e7910
SHA1 df80c75bea897ec420e172f8797e030fac54ba46
SHA256 0b51c7d1f62d35944da980705762f39496e019ad947ce3ba0ae4255805f46dc5
SHA512 79fca74b35638a88ff29019a5ac02ff41c4442fa4cba84c58a31cbc39947179a81026811d821c7c21dda238594853f64fa8a28b30ed593a887ace870146d40c8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 43b720f859e77460be844afdc0587732
SHA1 83f5afd470b2290cc1356231e10d12c09fddc541
SHA256 c6c0d1fa662b2002b4cf018825ea18d4177e8e0d0718f7535e25ac219c1c473b
SHA512 2f54f6378355cfc2297b0c061a1600cd135090e9e117a737e2c8af9fc0f687a8490e1c91370c2b1aa1b41925787de794d4775254c9c0e6c4309f7da6ced9e533

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4591bc76-6add-49b5-99ea-d4aa6bd1b2e8.tmp

MD5 4bb6a5f771b3077df5156d47d3341dfe
SHA1 a12e2f52d4aab358b4e2226bb1ec8479684ffe8b
SHA256 69f6b2379f24bd285a77aa01bfc2252f0ff0ad366bd1c3b9dfa2cf7326e6383c
SHA512 8fda63de6e597934a9b349855e95c66027638a4f27fa7652e3cb8b28f2eab8201eedfa14827b56bc89f829ea50bc1f95ed216d8e6a7d384ed0a41d766e1fa049