Analysis Overview
SHA256
ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce
Threat Level: Known bad
The file ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
RedLine payload
Stealc
UAC bypass
Glupteba payload
Glupteba
Amadey
ZGRat
RedLine
Detect ZGRat V1
Windows security bypass
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Downloads MZ/PE file
Blocklisted process makes network request
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Windows security modification
Themida packer
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Checks computer location settings
Identifies Wine through registry keys
Reads local data of messenger clients
Checks whether UAC is enabled
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Modifies system certificate store
Checks processor information in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
System policy modification
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-25 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-25 19:51
Reported
2024-04-25 19:54
Platform
win11-20240412-en
Max time kernel
81s
Max time network
153s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3624 set thread context of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4548 set thread context of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4660 set thread context of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 412 set thread context of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2400 set thread context of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 244 set thread context of 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe
"C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 888
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\718508534211_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4548 -ip 4548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 380
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4660 -ip 4660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 408
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
"C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\tQjC59wTg01uEnguOmXAaTWI.exe
"C:\Users\Admin\Pictures\tQjC59wTg01uEnguOmXAaTWI.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa60cab58,0x7fffa60cab68,0x7fffa60cab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4484 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:1
C:\Users\Admin\Pictures\NMus4ceehrf4bE0jSmnHTjuk.exe
"C:\Users\Admin\Pictures\NMus4ceehrf4bE0jSmnHTjuk.exe"
C:\Users\Admin\Pictures\6RY6tH03OL6urYROFfVV6ifR.exe
"C:\Users\Admin\Pictures\6RY6tH03OL6urYROFfVV6ifR.exe"
C:\Users\Admin\Pictures\GLLfRBaevGDuATQkG8mti76X.exe
"C:\Users\Admin\Pictures\GLLfRBaevGDuATQkG8mti76X.exe"
C:\Users\Admin\Pictures\958JDNBQjABn0ypblGawVeuw.exe
"C:\Users\Admin\Pictures\958JDNBQjABn0ypblGawVeuw.exe"
C:\Users\Admin\Pictures\weTE4zEfNNtZS7kwhNJ9o5jC.exe
"C:\Users\Admin\Pictures\weTE4zEfNNtZS7kwhNJ9o5jC.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4052 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3824 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1836,i,10057452675458224220,12280266518234926433,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\u3rc.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3rc.0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\u45s.0.exe
"C:\Users\Admin\AppData\Local\Temp\u45s.0.exe"
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\Pictures\NMus4ceehrf4bE0jSmnHTjuk.exe
"C:\Users\Admin\Pictures\NMus4ceehrf4bE0jSmnHTjuk.exe"
C:\Users\Admin\Pictures\958JDNBQjABn0ypblGawVeuw.exe
"C:\Users\Admin\Pictures\958JDNBQjABn0ypblGawVeuw.exe"
C:\Users\Admin\Pictures\weTE4zEfNNtZS7kwhNJ9o5jC.exe
"C:\Users\Admin\Pictures\weTE4zEfNNtZS7kwhNJ9o5jC.exe"
C:\Users\Admin\Pictures\GLLfRBaevGDuATQkG8mti76X.exe
"C:\Users\Admin\Pictures\GLLfRBaevGDuATQkG8mti76X.exe"
C:\Users\Admin\AppData\Local\Temp\u3rc.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u3rc.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\Pictures\ly2AuaUUa2PmjoUqF3gbhD5N.exe
"C:\Users\Admin\Pictures\ly2AuaUUa2PmjoUqF3gbhD5N.exe"
C:\Users\Admin\Pictures\lLAdKi06bNovn46U2s4FTctk.exe
"C:\Users\Admin\Pictures\lLAdKi06bNovn46U2s4FTctk.exe"
C:\Users\Admin\AppData\Local\Temp\u45s.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u45s.2\run.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe
"C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe" --silent --allusers=0
C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe
C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6ee2e1d0,0x6ee2e1dc,0x6ee2e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\wBdX5YjlwYmA4BIUKret7ifH.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\wBdX5YjlwYmA4BIUKret7ifH.exe" --version
C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe
"C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5624 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425195325" --session-guid=f47ef05e-d843-4960-b625-f01e10872ff8 --server-tracking-blob="N2M2MGQyMTQ5ZjFjNGEzYjUyOTE0YzAwM2MyNTA0MmFkODIzMDNhMWQ2MDJjNTI3Nzk2OTY3OTY4M2VjYjJhODp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDc0NzcwLjE1MTUiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzI3NzhlNmYtYjAwMy00ODUwLWFmZDgtNzFmYjVkNjFkN2E3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C04000000000000
C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe
C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6e47e1d0,0x6e47e1dc,0x6e47e1e8
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1096
C:\Users\Admin\AppData\Local\Temp\u45s.3.exe
"C:\Users\Admin\AppData\Local\Temp\u45s.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5392 -ip 5392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 1536
C:\Users\Admin\AppData\Local\Temp\u3rc.3.exe
"C:\Users\Admin\AppData\Local\Temp\u3rc.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6116 -ip 6116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 1096
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251953251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251953251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.72.132:443 | cleartotalfisherwo.shop | tcp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | 191.199.67.172.in-addr.arpa | udp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.211.165:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | 132.205.67.172.in-addr.arpa | udp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 104.21.16.225:443 | shortsvelventysjo.shop | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 172.67.218.63:443 | incredibleextedwj.shop | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 234.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.218.67.172.in-addr.arpa | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| GB | 216.58.204.78:443 | apis.google.com | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.23:443 | download.opera.com | tcp |
| NL | 185.26.182.111:443 | features.opera-api2.com | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| GB | 23.48.165.9:443 | download3.operacdn.com | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 143.244.56.50:443 | download.iolo.net | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
Files
memory/2112-0-0x0000000000BA0000-0x0000000001054000-memory.dmp
memory/2112-1-0x00000000770C6000-0x00000000770C8000-memory.dmp
memory/2112-2-0x0000000000BA0000-0x0000000001054000-memory.dmp
memory/2112-8-0x0000000005610000-0x0000000005611000-memory.dmp
memory/2112-7-0x0000000005600000-0x0000000005601000-memory.dmp
memory/2112-6-0x0000000005660000-0x0000000005661000-memory.dmp
memory/2112-5-0x0000000005620000-0x0000000005621000-memory.dmp
memory/2112-4-0x0000000005640000-0x0000000005641000-memory.dmp
memory/2112-3-0x0000000005630000-0x0000000005631000-memory.dmp
memory/2112-9-0x0000000005690000-0x0000000005691000-memory.dmp
memory/2112-10-0x0000000005680000-0x0000000005681000-memory.dmp
memory/2112-15-0x0000000000BA0000-0x0000000001054000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | ce40fa2c7c0d6847ee6cf5c3d7e15506 |
| SHA1 | 325317c47d3677428ced294f76e06390d937df7c |
| SHA256 | ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce |
| SHA512 | eabdeab6b978fc7bc7ad7c01910388486001eebf64ea49a72bcce5d64adf337b93685e0493f3b9c12a4158481dfd94d422652752aa200ef98db6227add1f80ae |
memory/2520-18-0x0000000000B00000-0x0000000000FB4000-memory.dmp
memory/2520-19-0x0000000000B00000-0x0000000000FB4000-memory.dmp
memory/2520-21-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/2520-20-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/2520-23-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/2520-22-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/2520-24-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/2520-26-0x0000000004D90000-0x0000000004D91000-memory.dmp
memory/2520-25-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/2520-27-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/2520-28-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/3624-49-0x0000000072A80000-0x0000000073231000-memory.dmp
memory/3624-48-0x0000000000180000-0x00000000001D2000-memory.dmp
memory/3852-52-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3852-55-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3624-56-0x00000000027C0000-0x00000000047C0000-memory.dmp
memory/3852-57-0x0000000000E40000-0x0000000000E41000-memory.dmp
memory/3852-58-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3624-59-0x0000000072A80000-0x0000000073231000-memory.dmp
memory/2520-60-0x0000000000B00000-0x0000000000FB4000-memory.dmp
memory/2520-61-0x0000000000B00000-0x0000000000FB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xionsjfd.hfk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1540-79-0x000001E712700000-0x000001E712722000-memory.dmp
memory/1540-83-0x00007FFFA8170000-0x00007FFFA8C32000-memory.dmp
memory/1540-84-0x000001E712240000-0x000001E712250000-memory.dmp
memory/1540-85-0x000001E712240000-0x000001E712250000-memory.dmp
memory/1540-86-0x000001E712240000-0x000001E712250000-memory.dmp
memory/1540-87-0x000001E72AA40000-0x000001E72AA52000-memory.dmp
memory/1540-88-0x000001E72A920000-0x000001E72A92A000-memory.dmp
memory/1540-94-0x00007FFFA8170000-0x00007FFFA8C32000-memory.dmp
memory/2520-95-0x0000000000B00000-0x0000000000FB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/4548-113-0x0000000000480000-0x0000000000738000-memory.dmp
memory/4556-112-0x0000000000400000-0x0000000000592000-memory.dmp
memory/4556-114-0x00000000727F0000-0x0000000072FA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
memory/576-136-0x00000000727F0000-0x0000000072FA1000-memory.dmp
memory/576-137-0x0000000000A20000-0x0000000000A72000-memory.dmp
memory/576-138-0x0000000005930000-0x0000000005ED6000-memory.dmp
memory/576-139-0x0000000005420000-0x00000000054B2000-memory.dmp
memory/1128-141-0x00007FFFA8370000-0x00007FFFA8E32000-memory.dmp
memory/576-142-0x0000000005400000-0x000000000540A000-memory.dmp
memory/1128-143-0x0000000000B30000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp21DB.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/576-144-0x00000000055E0000-0x00000000055F0000-memory.dmp
memory/1128-159-0x000000001B870000-0x000000001B880000-memory.dmp
memory/576-160-0x0000000005F60000-0x0000000005FD6000-memory.dmp
memory/576-161-0x0000000006720000-0x000000000673E000-memory.dmp
memory/576-164-0x0000000006FA0000-0x00000000075B8000-memory.dmp
memory/576-165-0x0000000006AF0000-0x0000000006BFA000-memory.dmp
memory/576-166-0x0000000006A30000-0x0000000006A42000-memory.dmp
memory/576-167-0x0000000006A90000-0x0000000006ACC000-memory.dmp
memory/576-168-0x0000000006C00000-0x0000000006C4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/2520-197-0x0000000000B00000-0x0000000000FB4000-memory.dmp
memory/4660-199-0x0000000000800000-0x0000000000874000-memory.dmp
memory/1624-196-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1624-200-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1624-201-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/4556-219-0x00000000727F0000-0x0000000072FA1000-memory.dmp
memory/1128-221-0x000000001C900000-0x000000001C912000-memory.dmp
memory/1128-220-0x000000001B870000-0x000000001B880000-memory.dmp
memory/1128-218-0x000000001DE00000-0x000000001DF0A000-memory.dmp
memory/1128-222-0x000000001DD30000-0x000000001DD6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
memory/4432-242-0x00000000727F0000-0x0000000072FA1000-memory.dmp
memory/4432-243-0x0000000000750000-0x00000000007A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718508534-2116753757-2794822388-1000\76b53b3ec448f7ccdda2063b15d2bfc3_67d0031d-6e32-4a16-a828-c69a0898a61c
| MD5 | ebb30fe511d4a56f6b759f39a0a8b9d5 |
| SHA1 | d67cc29031c7221a6f9f99d6e2eceef2cf1152d4 |
| SHA256 | 360d69be2cb8cf6edaef98b3b4433db61a0b10c2f8a142f1889e45318d3729c5 |
| SHA512 | 630f5707710ecb7e368eb5c901479a5ca004b4615f7380e182cdfb1966329ee43cfd5b5587b56af5a4dc995f18bc9e02ea3acf71a465dedffadeebd0fddf3275 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 4ff8ea78c14a4f7fa6e8cf0c139bc55b |
| SHA1 | e3fa852b5c38482a5e6e1c9234a09be6d8790ab9 |
| SHA256 | 97b89b75fdeeb096dbf36d13b18b959e50a4246691aea349213c22ae7b19cc00 |
| SHA512 | 13785608d437cb3be729986de88a35df6a7ab1ed35e6fb730448a9462e02caacbad30ad5cf328ddf598e554f758f44425bbf0dc99efd3c056fae5d930569771d |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 9a95b5c0745795d185b253a1a2a0afea |
| SHA1 | 1bd051b225789e177123ba39c3c0df77796bc54b |
| SHA256 | 6acbf4695ecdfeb85204aa177784fff7d029ccbe189c39d9bd99f33869d224e1 |
| SHA512 | bb0675cb78e4820debcba9a6f72f779ddb729b17e795e56a5a590ea45fbc4bd5d954ef8266b1697ec43a6bd72586c4b63d019f92b18724bd7928a8976fecf3cd |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/2052-298-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2052-301-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 7fabf15848c951f6665ec449c8c77098 |
| SHA1 | f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf |
| SHA256 | a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35 |
| SHA512 | 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a |
memory/2520-329-0x0000000000B00000-0x0000000000FB4000-memory.dmp
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 4cf00b7189b76957d7ba960132c649be |
| SHA1 | dacf792221087d16fb8fafb883cb8c6d7d53133e |
| SHA256 | d850072a7a101bc08cd80923c1cd3df5aca5581b371331e98642219df16ec1da |
| SHA512 | 1bb1112d9eb797f94a0dfe7cf3780dbaa816c8872a44178059e07a6b13ecb36c1e0d7a585574c8d14d0a0d8ec3028cccaa4251b616ffa4ce521388f87399c765 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 5bfaa7d74e1aba3a64648fd26291dafe |
| SHA1 | 8f3a93271807e4ac17ad5e74bb6931bb9db9a15d |
| SHA256 | d94765dc74261e62ed653aab034f0d66c546b24042cca3421a8ac6ccd2a438a3 |
| SHA512 | ab8073ab9471cd3d8fd8c0ebfdbfaa7fada7a98d33721bf29b830dfb55733d8d67d247bb80953735432375c53f06ad5e1bf962c1b61788c7cab616e54d5377ac |
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
| MD5 | 8026082d59bac905bcc4098c69b98743 |
| SHA1 | 5c8bffce653aa3b6c3e14d5f02927648b5ca8768 |
| SHA256 | f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005 |
| SHA512 | 304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42 |
memory/4824-376-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
| MD5 | 22e35bea6a2653c8393db13a83b0cf97 |
| SHA1 | 31adf1873277d5c64f1533a257de3f4fd67d6ad8 |
| SHA256 | 2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8 |
| SHA512 | 666fd393f101f25855a63e75b023bff28c91bde2490c7bb83925049f6aa07519b2814659974dca642446afcfd80216dd36062dc270e2377989c56580e67680fb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ae626d9a72417b14570daa8fcd5d34a4 |
| SHA1 | c103ebaf4d760df722d620df87e6f07c0486439f |
| SHA256 | 52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a |
| SHA512 | a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14 |
C:\Users\Admin\Pictures\6ODqL6KlH5dfJZLrt7WNvlEB.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
memory/3180-426-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\Pictures\tQjC59wTg01uEnguOmXAaTWI.exe
| MD5 | be66e36ac839acbc2e3a8e3b5714007f |
| SHA1 | f1c77550d942ebe9ce108b99abd3255bbc03c66e |
| SHA256 | 522b746ff4c6e0673d5d7a7b2093a9dc097cb5ad9173ab405c2dbc920a5d8980 |
| SHA512 | a40d9ca9716b1725456e4afe7d474385255f67ef5ab4272c4d09a334123e80781464d471fe839f15de4c83be91dc3f987cb3d08e63b09a5aff1af5b5b05bf1b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8dfea1340150866fa18832a74cb19e4b |
| SHA1 | c57dbc84d17459e222afac24928805716385dd01 |
| SHA256 | de2ca5fa3ee82ad2c8adb06b627d6fbe98e7845d558e44776d23f113e6e61eb5 |
| SHA512 | adf1047ab3e090e31e0ca593d912eb97e7f72987196c78e1cec1f2c308eb75340284a68ddf00970b01494e113e672944838b9f1ddd759307ed2acd3e7d11da6d |
C:\Users\Admin\AppData\Local\Temp\Extension\js\content.js
| MD5 | 9ab0f9320495b406fddb6de1730652cc |
| SHA1 | a6d35a74dc53289794c9a05dc1ad8c03878e153a |
| SHA256 | ab913781705a8841f3c3973af4cfeb14c7ed9919a08ff810b920dca17d69cbd1 |
| SHA512 | c527057c8af9cb4a55a71ff5a8010706119fd19b5c354dae046cd498f350c422b10578a3e3c2423e385c81d76d3ece3b057c5f02f8c7b76769e18c5e2aa023fe |
C:\Users\Admin\AppData\Local\Temp\Extension\manifest.json
| MD5 | 9358845d5150234f2c91c6c9b8f73ede |
| SHA1 | bcc689cb7b97b8f726c966706e1c39e90194744a |
| SHA256 | 30c327ec2dab6b33eaac97c17c036f199c986f949d75fe56c87fe84ebc965b60 |
| SHA512 | fa6b069f29e176cfb7dd036b38bddf09c3114b85ad3b41d29f1195ef4196c8d80374abbf636411447d76b65312c72c625af3f9463d9342ab07710fd2b4a19d5c |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
| MD5 | bdbf6940051129827b3b2e3de0dfd274 |
| SHA1 | d64ad108204df846362ebe196e092b98b32984a7 |
| SHA256 | a43f8505c83a24258895bcfcb029b9b6399ddbb548d3bc770fff8a1b705b7ac3 |
| SHA512 | 66f0f66033f763b8e064ae123b6170472019141e4f451b5d7029b216deb4fa5c6a4ed94f2a96745ff1bf53cbc86042584a0df7c3af54701ab223697c5e1efdd5 |
\??\pipe\crashpad_2956_PCLHAZCXGKSEOCXN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 17a6983728ccdfb6bb4f3515ac1ca701 |
| SHA1 | 0f8a09eb45da130c30260255b9c1a479a615cb91 |
| SHA256 | 610b94f45ff807062c48a9840c4d2f4e2ebf280b53ff3fed31f844a03be1573c |
| SHA512 | 5f0a5e10ad6a86a562caf49c1ffdc3caaa42f60c37e4e231861948cc64c543c59c07b48b606f011dcc3999e4b5bb767f5a780f41475468cf52438dd4c685fc08 |
C:\Users\Admin\AppData\Local\Temp\Extension\background.js
| MD5 | d8f0b154a3dda574d039f01b2e0b1c96 |
| SHA1 | 2bd3059ec526d17dc35f40608ad543af31c07608 |
| SHA256 | 75b3e40f14cdc4b11837fb76516f9475fd72802081b81069c036894af2f8ad42 |
| SHA512 | 926c7a0e540c08c2ae15de4192fa72faa31bb9cf0d8efe9a77d9ed11f1768ee55900a8bcaa7786f0865a082fdb88d5bfd43356d0b141fcc108d67442c2b2c6fb |
C:\Users\Admin\Pictures\NMus4ceehrf4bE0jSmnHTjuk.exe
| MD5 | 6cceb09090aac6e098fe94ccf89d0b88 |
| SHA1 | dc3d20a6759f88bd43ceec6462add30e3b7eb10e |
| SHA256 | 9af5c4844ec982b2434f0a8aa760a901d3eca5cb8759bb048712395a6c85b7de |
| SHA512 | f5008f37a744003711612850c87bb66e3a603704eafa20abdbb35362dbe4cba02e9a40ac21a0ad818a0dbaa612c68c89f6be4c18cc27c927ee0d92a21210e0fc |
C:\Users\Admin\Pictures\6RY6tH03OL6urYROFfVV6ifR.exe
| MD5 | 3a5041ca3d4237acf4f7f37cfb108958 |
| SHA1 | 75eeefe5cd0c1a8dda4499d8fd80566bbcdce135 |
| SHA256 | 02a279413de15834ab05e5d8d5467d489f646044e505b08706e83da20792a3e5 |
| SHA512 | 09bef646a85c362c1e6b52b50382397ee38c8c9f047db16d2f20c2333578a06b714c16d1cda7678b8eab398577b51c7251029ec2a5f8896de385c27508fb2f0a |
memory/2520-587-0x0000000000B00000-0x0000000000FB4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\u3rc.0.exe
| MD5 | 53171755c9957358f9acad9f47430c5d |
| SHA1 | a5c2e5ebeaf4aaafd831036d53da96cf7b83b35d |
| SHA256 | 2f11332d4ac622931ef49c52ad73773bfdd6de5ce833b1fff0362170256e6bc5 |
| SHA512 | ec89bd7a628b9f006d693166d0442bcf6401362175a93abdf80fa674933819d1ab745d85e65cd87d2208b8ed22c3941875bfb9844deba5dfc552d1f11e197369 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2b50aed56d4929692d333275beb9f1f1 |
| SHA1 | adef4cc38a9283423afd7d390ae39f6e74a0c578 |
| SHA256 | b974ac59c2aa8c174c147b265cfa55855e903ee945ae20ffd701e6a474d5bfed |
| SHA512 | 6e408394dfa9081e4369f24487c3446ed51cf5eaa0d99cf65d07e80db27e4de2922c65951566f1772ef1c625916590eacb1b2dd1a6e916bafde5780c9a38d96f |
memory/4872-617-0x0000000000400000-0x000000000086B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9c4df119e239af8aacd65a5f328f9eff |
| SHA1 | 16d95e16c8ed6bc0ca02a579b70329b0fb154c40 |
| SHA256 | c786383ad2193114f7b25771d5909f46ce6d1a1caf7efa09d2489d320432e1df |
| SHA512 | a2777aacd56e826b035ce9362dc392ca203f513db1e29603f8cca0917c4367e10b571a69b50a1c932fa8294fbf03575631df3f442a9d39253240ffe522562598 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e41a429e06fc3af2dc27257201a7ca90 |
| SHA1 | 7f3c88fb5913569d9e4f25bf9ed0332529a8ddb8 |
| SHA256 | 76150d45e9dd3ceaf6c09d192a4220994d5879d7cce735ab6dc7fae815f741fd |
| SHA512 | 3671fe866dc0c6e24f0e0507ed1683b88d00a3d6a1f4c111670aef3e8d86bf1e5ba889b521ff6fbc055df4c1d49534693aa48b6df3b6dc10c5d95d46a85876d4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 4a3f8641508e0204cbdba86fc68b15eb |
| SHA1 | 366af6964dbe07116add0472c3c751b0f0170211 |
| SHA256 | df3019cbb22ccf3061041930bd232024518aae7ad014ffaaac77c04b685d604c |
| SHA512 | c3cc8447748194cb3490fd8cb792fa027e5fbf738d25b03d6d5c93b977f6a08d2cbf1b9b4171a03e960fdb3b264c60795eb15043a22e8774a702a32f8b6ed414 |
memory/5332-686-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5392-687-0x0000000000400000-0x000000000086B000-memory.dmp
memory/2052-717-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a985cc9e80d6277987ecd08644eb0158 |
| SHA1 | 5dc7bf3edc657cc91135b21e688c1b3be61a83d0 |
| SHA256 | cbfab8cc75861068cb523dd9090af357aee25d3e8f9e1e28074eecfb1d1111d6 |
| SHA512 | dad49dc35954df2bef41aaa9efeb33c41b5fd34c6827602c5684f5c7e7e7df1412e06b9674d40568f9e8ab947886560ed18abb6238c103aa5486d41e35e4b7ee |
memory/2520-732-0x0000000000B00000-0x0000000000FB4000-memory.dmp
memory/5592-734-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5684-739-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5776-760-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5332-838-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5684-837-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5776-842-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5592-845-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3rc.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u3rc.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/2520-932-0x0000000000B00000-0x0000000000FB4000-memory.dmp
memory/2504-934-0x000000006AF40000-0x000000006B0BD000-memory.dmp
memory/4872-933-0x0000000000400000-0x000000000086B000-memory.dmp
memory/2504-938-0x00007FFFC9180000-0x00007FFFC9389000-memory.dmp
memory/2504-951-0x000000006AF40000-0x000000006B0BD000-memory.dmp
C:\Users\Admin\Pictures\ly2AuaUUa2PmjoUqF3gbhD5N.exe
| MD5 | 806f295ff14699677790ca246cb69864 |
| SHA1 | 5ff2e05176ea77a6a12ed50ac8836757dd342829 |
| SHA256 | 8f1fb3595585747a418c6fc186c36e3c0a98d80cc81c5df56e8faeb5b2421fb6 |
| SHA512 | ecb12e1d799c107f39b998851938b428b1d81906615505aff3ab8426bba06d9d827e29405d8de26761341e57ef38c059d6ec68309df938326771c11dde7175a8 |
memory/2520-969-0x0000000000B00000-0x0000000000FB4000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Local\Temp\u45s.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\Pictures\lLAdKi06bNovn46U2s4FTctk.exe
| MD5 | 69f6614893028c60394f744c7ebc1551 |
| SHA1 | ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd |
| SHA256 | b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d |
| SHA512 | 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855 |
C:\Users\Admin\AppData\Local\Temp\u45s.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
C:\Users\Admin\AppData\Local\Temp\u45s.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u45s.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/5940-1072-0x00007FFFC9180000-0x00007FFFC9389000-memory.dmp
memory/5056-1078-0x000000006AF40000-0x000000006B0BD000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
memory/5056-1089-0x00007FFFC9180000-0x00007FFFC9389000-memory.dmp
C:\Users\Admin\Pictures\wBdX5YjlwYmA4BIUKret7ifH.exe
| MD5 | e7ced003940a367cbcc07893f18867d4 |
| SHA1 | 31aaceace8f8b97b2965f79582cb77b229ca77fb |
| SHA256 | 167dc4633fb52c0b2f85616f1ee4fe5d10bab6e9aea1151deaffaf0574d7daf3 |
| SHA512 | 2b266ec503cfeff4988e9b781a0e52731ea3e3491df4642f971be6fc361ffd39c59afa92ad690ff65d3ce156c2013f2e3836270edfde1c2fb83e9352d88a1013 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404251953257345652.dll
| MD5 | 45fe60d943ad11601067bc2840cc01be |
| SHA1 | 911d70a6aad7c10b52789c0312c5528556a2d609 |
| SHA256 | 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add |
| SHA512 | 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba |
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 23a45210da52b197e4cb88881e8a3a93 |
| SHA1 | a076178eb2ae9fc235da03680db07ced155039b0 |
| SHA256 | c05423f55631b2cdb0283648d9b09a4a851c672d43bd1769c132fe5afdf4bf42 |
| SHA512 | 924737e042b57e78022a53985829197ba7dafa551310e0721453b6de6e496f375ebb336194d54fb226b422327ef17aa4f90bb887c12fb0a5ce74b7863c4c80e3 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\u45s.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 38d766d03be4192ea2d529ddc70b5d1d |
| SHA1 | 7f240b5efc8fa4bc2f7094d12c7eddbe3c3e264c |
| SHA256 | 01e6c849b00ad8db7bd49179e53f34cbf1998e0275ad68dd652b6b45ccaff02d |
| SHA512 | eab7febccb9fd7365d97824f1c3a785cefd669e863c88702cdbed3a178937eb7f219ebad7cdc5b42d449ba72b1cd90e03c693eaa9628ff68751ad27db75ebe90 |
C:\Users\Admin\AppData\Local\Temp\tmp772B.tmp
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Temp\tmp776C.tmp
| MD5 | 22be08f683bcc01d7a9799bbd2c10041 |
| SHA1 | 2efb6041cf3d6e67970135e592569c76fc4c41de |
| SHA256 | 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457 |
| SHA512 | 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251953251\opera_package
| MD5 | 3cd8a56ff25e16f464fab61fba442dfc |
| SHA1 | c0fc12b173641dea312ffaa16037f15fad15eac5 |
| SHA256 | b4f23319247abe215415d4d3730058d30229dbce8f55bb8a139e7f3e903a4410 |
| SHA512 | 2488238ecb866d022dc811a0bdcfb76c008d7e520ee82702747479df53adc19ae65aeaf2056034d560fd6481db8cebd7b6a8810c7c4839249e66ac93d743e53b |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251953251\additional_file0.tmp
| MD5 | 5c2ca96ef328967543e9ee24b45a9c69 |
| SHA1 | f38df7ab04f9be27b4efea6a6012e11592d3f4d0 |
| SHA256 | f333fec15f0a16f1b7ab274fde8cd2b99e4a639b1e1f7a58901cf465d3f8ed87 |
| SHA512 | 52161d4471dc0aa09ba56a93374c0656d1ba75ab8a955faeac341bf0aea2eb4bd7c78361c9e961066cabd4d6560dd5b2fb906f5d04eb4ef1e62ca88b6a44a104 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-25 19:51
Reported
2024-04-25 19:54
Platform
win10v2004-20240412-en
Max time kernel
66s
Max time network
153s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\7wuGEJczI8PROwjcX9IOiM8F.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5020 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 100 set thread context of 960 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 724 set thread context of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2712 set thread context of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe
"C:\Users\Admin\AppData\Local\Temp\ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 800
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084619521222_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 100 -ip 100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 352
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 724 -ip 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 356
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
"C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe"
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa827fab58,0x7ffa827fab68,0x7ffa827fab78
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffa7f8246f8,0x7ffa7f824708,0x7ffa7f824718
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=2044,i,2706588155704615504,3124682816198816532,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=2044,i,2706588155704615504,3124682816198816532,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1948 --field-trial-handle=2044,i,2706588155704615504,3124682816198816532,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=2044,i,2706588155704615504,3124682816198816532,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=2044,i,2706588155704615504,3124682816198816532,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=2044,i,2706588155704615504,3124682816198816532,131072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Users\Admin\Pictures\7wuGEJczI8PROwjcX9IOiM8F.exe
"C:\Users\Admin\Pictures\7wuGEJczI8PROwjcX9IOiM8F.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\Pictures\ymrr2awxIWyKaF4yuqvF6kJB.exe
"C:\Users\Admin\Pictures\ymrr2awxIWyKaF4yuqvF6kJB.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\Pictures\DuHaGWCWszdp8qWBK4xXnZap.exe
"C:\Users\Admin\Pictures\DuHaGWCWszdp8qWBK4xXnZap.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\u4p0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4p0.0.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,194048807118566709,16466286370500173723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
C:\Users\Admin\Pictures\jCdOHVmxOeSFD9RxGzWQ08sD.exe
"C:\Users\Admin\Pictures\jCdOHVmxOeSFD9RxGzWQ08sD.exe"
C:\Users\Admin\Pictures\erMtpOSc107aaTZJAsgxRQcT.exe
"C:\Users\Admin\Pictures\erMtpOSc107aaTZJAsgxRQcT.exe"
C:\Users\Admin\Pictures\h5LEqMbe44jzFQ93hZyKig23.exe
"C:\Users\Admin\Pictures\h5LEqMbe44jzFQ93hZyKig23.exe"
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Users\Admin\AppData\Local\Temp\u5go.0.exe
"C:\Users\Admin\AppData\Local\Temp\u5go.0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\wqty4p0TLsiIT9djxk8DmWKM.exe
"C:\Users\Admin\Pictures\wqty4p0TLsiIT9djxk8DmWKM.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\AppData\Local\Temp\u5go.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u5go.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
C:\Users\Admin\AppData\Local\Temp\u4p0.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u4p0.2\run.exe"
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Pictures\h5LEqMbe44jzFQ93hZyKig23.exe
"C:\Users\Admin\Pictures\h5LEqMbe44jzFQ93hZyKig23.exe"
C:\Users\Admin\Pictures\ymrr2awxIWyKaF4yuqvF6kJB.exe
"C:\Users\Admin\Pictures\ymrr2awxIWyKaF4yuqvF6kJB.exe"
C:\Users\Admin\Pictures\DuHaGWCWszdp8qWBK4xXnZap.exe
"C:\Users\Admin\Pictures\DuHaGWCWszdp8qWBK4xXnZap.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6492 -ip 6492
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 1020
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2444 -ip 2444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1016
C:\Users\Admin\Pictures\erMtpOSc107aaTZJAsgxRQcT.exe
"C:\Users\Admin\Pictures\erMtpOSc107aaTZJAsgxRQcT.exe"
C:\Users\Admin\Pictures\0Ubkx6TgbJE3KY3i5zpFvo6d.exe
"C:\Users\Admin\Pictures\0Ubkx6TgbJE3KY3i5zpFvo6d.exe"
C:\Users\Admin\AppData\Local\Temp\7zSF894.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Users\Admin\AppData\Local\Temp\u5go.3.exe
"C:\Users\Admin\AppData\Local\Temp\u5go.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7080 -ip 7080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 1444
C:\Users\Admin\AppData\Local\Temp\u4p0.3.exe
"C:\Users\Admin\AppData\Local\Temp\u4p0.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6084 -ip 6084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1544
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\Pictures\Xsx2enmMx6SkVYfNR0W59wNb.exe
"C:\Users\Admin\Pictures\Xsx2enmMx6SkVYfNR0W59wNb.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 19:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\kKNTNCB.exe\" em /nhsite_idbwH 385118 /S" /V1 /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\kKNTNCB.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\kKNTNCB.exe em /nhsite_idbwH 385118 /S
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 32.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 172.67.211.165:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | 165.211.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | 56.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.166.67.172.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 202.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 234.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 172.67.192.138:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.192.67.172.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| RU | 185.215.113.67:26260 | tcp | |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | yip.su | udp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.31.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| US | 8.8.8.8:53 | 47.151.221.77.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 84.157.143.52.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 26.56.192.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | 76.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| FR | 185.93.2.246:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 246.2.93.185.in-addr.arpa | udp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
Files
memory/1600-0-0x0000000000AB0000-0x0000000000F64000-memory.dmp
memory/1600-1-0x0000000077D14000-0x0000000077D16000-memory.dmp
memory/1600-2-0x0000000000AB0000-0x0000000000F64000-memory.dmp
memory/1600-3-0x0000000004F90000-0x0000000004F91000-memory.dmp
memory/1600-4-0x0000000004F80000-0x0000000004F81000-memory.dmp
memory/1600-5-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
memory/1600-6-0x0000000004F60000-0x0000000004F61000-memory.dmp
memory/1600-7-0x0000000004F70000-0x0000000004F71000-memory.dmp
memory/1600-8-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
memory/1600-10-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
memory/1600-9-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/1600-15-0x0000000000AB0000-0x0000000000F64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | ce40fa2c7c0d6847ee6cf5c3d7e15506 |
| SHA1 | 325317c47d3677428ced294f76e06390d937df7c |
| SHA256 | ab4523abcb1ed941a8f9b3a0e8665c8d6c3c3e1df66a5bb2bfaa0c43bc5d15ce |
| SHA512 | eabdeab6b978fc7bc7ad7c01910388486001eebf64ea49a72bcce5d64adf337b93685e0493f3b9c12a4158481dfd94d422652752aa200ef98db6227add1f80ae |
memory/3520-18-0x0000000000290000-0x0000000000744000-memory.dmp
memory/3520-19-0x0000000000290000-0x0000000000744000-memory.dmp
memory/3520-20-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/3520-25-0x0000000004C00000-0x0000000004C01000-memory.dmp
memory/3520-24-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
memory/3520-23-0x0000000004C50000-0x0000000004C51000-memory.dmp
memory/3520-22-0x0000000004C10000-0x0000000004C11000-memory.dmp
memory/3520-21-0x0000000004C30000-0x0000000004C31000-memory.dmp
memory/3520-26-0x0000000004C80000-0x0000000004C81000-memory.dmp
memory/3520-27-0x0000000004C70000-0x0000000004C71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/5020-47-0x0000000000E40000-0x0000000000E92000-memory.dmp
memory/5020-48-0x0000000073920000-0x00000000740D0000-memory.dmp
memory/3624-51-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3624-54-0x0000000000400000-0x000000000044C000-memory.dmp
memory/5020-55-0x0000000003380000-0x0000000005380000-memory.dmp
memory/3624-56-0x0000000001020000-0x0000000001021000-memory.dmp
memory/3624-57-0x0000000000400000-0x000000000044C000-memory.dmp
memory/5020-58-0x0000000073920000-0x00000000740D0000-memory.dmp
memory/3520-59-0x0000000000290000-0x0000000000744000-memory.dmp
memory/3520-60-0x0000000000290000-0x0000000000744000-memory.dmp
memory/3520-61-0x0000000000290000-0x0000000000744000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
memory/3520-74-0x0000000000290000-0x0000000000744000-memory.dmp
memory/5104-75-0x000001D4B5D20000-0x000001D4B5D42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lgb3ylz.coa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5104-85-0x00007FFA81A40000-0x00007FFA82501000-memory.dmp
memory/5104-86-0x000001D49D730000-0x000001D49D740000-memory.dmp
memory/5104-87-0x000001D49D730000-0x000001D49D740000-memory.dmp
memory/5104-88-0x000001D49D730000-0x000001D49D740000-memory.dmp
memory/5104-89-0x000001D4B60D0000-0x000001D4B60E2000-memory.dmp
memory/5104-90-0x000001D49D740000-0x000001D49D74A000-memory.dmp
memory/5104-96-0x00007FFA81A40000-0x00007FFA82501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/960-113-0x0000000000400000-0x0000000000592000-memory.dmp
memory/100-114-0x00000000008F0000-0x0000000000BA8000-memory.dmp
memory/960-115-0x0000000072FD0000-0x0000000073780000-memory.dmp
memory/960-118-0x00000000056E0000-0x00000000056F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
memory/3600-137-0x0000000072FD0000-0x0000000073780000-memory.dmp
memory/3600-139-0x0000000000220000-0x0000000000272000-memory.dmp
memory/3600-140-0x0000000005040000-0x00000000055E4000-memory.dmp
memory/3600-141-0x0000000004B30000-0x0000000004BC2000-memory.dmp
memory/3600-142-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
memory/3600-144-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/4420-145-0x00007FFA81AF0000-0x00007FFA825B1000-memory.dmp
memory/4420-146-0x0000000000DC0000-0x0000000000E80000-memory.dmp
memory/4420-161-0x000000001BAD0000-0x000000001BAE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp356.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3600-164-0x0000000005770000-0x00000000057E6000-memory.dmp
memory/3600-165-0x0000000005F70000-0x0000000005F8E000-memory.dmp
memory/3600-168-0x00000000067F0000-0x0000000006E08000-memory.dmp
memory/3600-169-0x0000000006340000-0x000000000644A000-memory.dmp
memory/3600-170-0x0000000006280000-0x0000000006292000-memory.dmp
memory/3600-171-0x00000000062E0000-0x000000000631C000-memory.dmp
memory/3600-172-0x0000000006450000-0x000000000649C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/1136-189-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1136-192-0x0000000000400000-0x000000000044E000-memory.dmp
memory/724-190-0x00000000006A0000-0x0000000000714000-memory.dmp
memory/1136-193-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/4420-194-0x000000001BAD0000-0x000000001BAE0000-memory.dmp
memory/4420-204-0x000000001E420000-0x000000001E52A000-memory.dmp
memory/4420-205-0x000000001E310000-0x000000001E322000-memory.dmp
memory/4420-209-0x000000001E370000-0x000000001E3AC000-memory.dmp
memory/3520-214-0x0000000000290000-0x0000000000744000-memory.dmp
memory/960-215-0x0000000072FD0000-0x0000000073780000-memory.dmp
memory/4420-216-0x000000001BAD0000-0x000000001BAE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
| MD5 | 8026082d59bac905bcc4098c69b98743 |
| SHA1 | 5c8bffce653aa3b6c3e14d5f02927648b5ca8768 |
| SHA256 | f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005 |
| SHA512 | 304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42 |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
| MD5 | 22e35bea6a2653c8393db13a83b0cf97 |
| SHA1 | 31adf1873277d5c64f1533a257de3f4fd67d6ad8 |
| SHA256 | 2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8 |
| SHA512 | 666fd393f101f25855a63e75b023bff28c91bde2490c7bb83925049f6aa07519b2814659974dca642446afcfd80216dd36062dc270e2377989c56580e67680fb |
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
memory/2296-334-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 85deec65e16c4202676771c20a0c6822 |
| SHA1 | e393d00707d69e39098f4eb054561566f068eebc |
| SHA256 | e166e39510a22a0bae4cff6bd42ba41508db86ab2fd7cbb57d62162b7fd9de04 |
| SHA512 | 356557c99494b4fa7faf0591fa6d7286e26573044f124d3522e6d0421f452b4210fda2d6ee8b2df64c3592c91104ef2ddaa864283b7b6ba9b7eed44cf06de313 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 47be4995cef01a9463033d4c3d5245ef |
| SHA1 | 0d66fe664a37479beed1a728988da83974aafd4b |
| SHA256 | 84a6855d1ce855be6603c87f06ee402a881f4e6d70e22156e27f3e22be1bc7b6 |
| SHA512 | 35d81cbdd9cc643fca211a2ee791e49d2e78b73797bd08214b0b374cf89883a86fbe21cb062075c34ffb2a49f62f90e477748d7db813be3f28094270a4a43c6a |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4084619521-2220719027-1909462854-1000\76b53b3ec448f7ccdda2063b15d2bfc3_338e918a-08d3-477c-81e2-0f9a71d72db8
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | d5a0f29bba4c1168f89e71912c285769 |
| SHA1 | 09c64b0d31007b9a856badd9b50e96c5252a298d |
| SHA256 | dc2fc28066f901dcb1d516c0926b8d87180f8f5aba4b04bc7137b61062b5d45c |
| SHA512 | ca89e86a17508b73f9b1bbbdd22dfe5793be88ecb0d0eb0d77633d8c579e7343141b6722b39a26f3c0d790232edbd4255d7e58ac88b4a20094b2bd9c6e38467b |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 87254ef30944906eef975522f82fe5d7 |
| SHA1 | 3b269b8f0b05811773d1d55d12f9ec4379f36aa9 |
| SHA256 | a3868f88949d3054c0d538213eaddaf4b6344f2b1d1f41e8a25867a693f4138d |
| SHA512 | f9160b7524e36a398fd0cb504634693de1fbb87a1b87c8cb8ba2112c192c35c2b34b1bfd2b6dd3db4fd9c46a22e08c4e92f13969c366353c4627e915b45a9f0a |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | f5f7eaf36eaf49c04a6acda81c5a698d |
| SHA1 | fdf66e542f5619b972aa05c0519b0b44f9af0fb9 |
| SHA256 | 781e78cd6f664a585d187a4010d45d30213872207133f0bf87a2d201f45cffd3 |
| SHA512 | 8f0a3c70fcdc6194bc50a151dd8a61e7c0386e69ec45fe74fbf2c983249f8ca869bcb93dd2c79e99f58ccdd428d608131cb0fe5701a24f1ff755fcaf7b8d653b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fe3aab3ae544a134b68e881b82b70169 |
| SHA1 | 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6 |
| SHA256 | bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b |
| SHA512 | 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cb138796dbfb37877fcae3430bb1e2a7 |
| SHA1 | 82bb82178c07530e42eca6caf3178d66527558bc |
| SHA256 | 50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd |
| SHA512 | 287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | baa7aea69f1fc6de5c6744a3de244d9c |
| SHA1 | 7ac32cd8e4afa29cbb6c04bb8727735c29ebadc5 |
| SHA256 | adb474e336b151cf28ead952e8248f9ec8daf30aadc78e716822d9c27f6dde69 |
| SHA512 | 4927c72a9d778a8343f812714356150069349e39937f2e32c62f19ffee226b94eada91756f07f96e22472252f20185177038b3e1e1dd7b8920d676e4e2198f0c |
\??\pipe\crashpad_3620_FGMPWTTRRQJASKYF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
| MD5 | 126f4231c6a3db73450a7a1842fe1930 |
| SHA1 | 6803bef141264a65f2c0af1c82049aa5c8b300c2 |
| SHA256 | 0268be5c268c2f3ac0b375f7e19014ac3fd8dc550adb8f8b7123e7b5a3164759 |
| SHA512 | 87495b0a9746d627bce118b61c4f14392060f2aeec0c38ad284daba510b9333bc5bc045f93baf3ca5ccd55162d2acb468dde9834da4a65d5d58abec14f6dd2d2 |
C:\Users\Admin\AppData\Local\Temp\Extension\js\content.js
| MD5 | 9ab0f9320495b406fddb6de1730652cc |
| SHA1 | a6d35a74dc53289794c9a05dc1ad8c03878e153a |
| SHA256 | ab913781705a8841f3c3973af4cfeb14c7ed9919a08ff810b920dca17d69cbd1 |
| SHA512 | c527057c8af9cb4a55a71ff5a8010706119fd19b5c354dae046cd498f350c422b10578a3e3c2423e385c81d76d3ece3b057c5f02f8c7b76769e18c5e2aa023fe |
C:\Users\Admin\AppData\Local\Temp\Extension\manifest.json
| MD5 | 9358845d5150234f2c91c6c9b8f73ede |
| SHA1 | bcc689cb7b97b8f726c966706e1c39e90194744a |
| SHA256 | 30c327ec2dab6b33eaac97c17c036f199c986f949d75fe56c87fe84ebc965b60 |
| SHA512 | fa6b069f29e176cfb7dd036b38bddf09c3114b85ad3b41d29f1195ef4196c8d80374abbf636411447d76b65312c72c625af3f9463d9342ab07710fd2b4a19d5c |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
C:\Users\Admin\AppData\Local\Temp\Extension\background.js
| MD5 | d8f0b154a3dda574d039f01b2e0b1c96 |
| SHA1 | 2bd3059ec526d17dc35f40608ad543af31c07608 |
| SHA256 | 75b3e40f14cdc4b11837fb76516f9475fd72802081b81069c036894af2f8ad42 |
| SHA512 | 926c7a0e540c08c2ae15de4192fa72faa31bb9cf0d8efe9a77d9ed11f1768ee55900a8bcaa7786f0865a082fdb88d5bfd43356d0b141fcc108d67442c2b2c6fb |
C:\Users\Admin\Pictures\Zw58gez2oGsDBMBjjC6gi3UL.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\7wuGEJczI8PROwjcX9IOiM8F.exe
| MD5 | 3a5041ca3d4237acf4f7f37cfb108958 |
| SHA1 | 75eeefe5cd0c1a8dda4499d8fd80566bbcdce135 |
| SHA256 | 02a279413de15834ab05e5d8d5467d489f646044e505b08706e83da20792a3e5 |
| SHA512 | 09bef646a85c362c1e6b52b50382397ee38c8c9f047db16d2f20c2333578a06b714c16d1cda7678b8eab398577b51c7251029ec2a5f8896de385c27508fb2f0a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a9519bc058003dbea34765176083739e |
| SHA1 | ef49b8790219eaddbdacb7fc97d3d05433b8575c |
| SHA256 | e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b |
| SHA512 | a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 14ec3223bd49a54bf0432b2ed4ccb62c |
| SHA1 | f5c871b6a735d9aeee87f358b25be77c906a08e9 |
| SHA256 | 910bbb6e82034aa47c94c94cef03abd378e1f6602d75fceaa965c02895d4f86b |
| SHA512 | e4c66f469f09de731ac1210324aa142104409df1811b84566f6e7c0ef46b6ed3a6fbaf8ad6c2ea7b588e90c8ff397c067b6364e0e11ae3471e2e792ff64c5fdc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f0bca6b4fa800341c48411783c9241f8 |
| SHA1 | 7b5c88e2cad3906f3985df3bf3896826f5fbd3ce |
| SHA256 | 8925ab7ecbc38cd7ca2cb38f92373d276932b6cb18c2bdb55831adfb9f7aa7c9 |
| SHA512 | 1a1daea6aa68abde9d62097a38127317edc83fa81221a8cbdb31e42950d440f9132f48d7fed37bf38b7a80e66e2b687291b1349c22ced562af6bc3169fea77a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\Pictures\ymrr2awxIWyKaF4yuqvF6kJB.exe
| MD5 | 6cceb09090aac6e098fe94ccf89d0b88 |
| SHA1 | dc3d20a6759f88bd43ceec6462add30e3b7eb10e |
| SHA256 | 9af5c4844ec982b2434f0a8aa760a901d3eca5cb8759bb048712395a6c85b7de |
| SHA512 | f5008f37a744003711612850c87bb66e3a603704eafa20abdbb35362dbe4cba02e9a40ac21a0ad818a0dbaa612c68c89f6be4c18cc27c927ee0d92a21210e0fc |
memory/3520-515-0x0000000000290000-0x0000000000744000-memory.dmp
memory/6652-516-0x0000000000400000-0x000000000063B000-memory.dmp
memory/6652-528-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 7fabf15848c951f6665ec449c8c77098 |
| SHA1 | f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf |
| SHA256 | a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35 |
| SHA512 | 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/6244-563-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
| MD5 | 6be04c9f1afaea089659629ec31a0c75 |
| SHA1 | 60a6a306a313828e0d3543ad16707386e472a06b |
| SHA256 | e7048762751ab3eb2c6836457fb1bfb82ab6cb2904b940ea7826cf3253f906b7 |
| SHA512 | af8e2b80ddc33573db265980b02f97f1cbce0c30033492bccc25eb04152566d372748d435a0c113a4b5c781d55ee9b29d476e18c9dab359985122b74edbd1c21 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
| MD5 | a4212f5a9c80fcfa5683f9b707a6a777 |
| SHA1 | d785c31d97428030cfe9bcba2b1bd3d17dfbfa5b |
| SHA256 | 36218eb95ad023a16e41c0d95a7512ec687fb2675546df8c01cd593edc7ca5f1 |
| SHA512 | 9ed20102bf36b198e7c46e35fd5e3f392a2fc25017eef7f6c6ecc7175aabc9546cabd81ee2b67c5c457c7dd5c6075f0ff63f5405fda30be321ace137deee6e62 |
memory/6652-571-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | c0510a4a4999c4aded61fdb40c96a53d |
| SHA1 | 2e702d8ac0d6eddc03af04605e3ae00310f85eaf |
| SHA256 | 4d7531b69f45f25c6817a4fa5a481d1e21b2090e5cc30beee51e5f395606c259 |
| SHA512 | 89813ccf3d13cecc762da0adb0ea3a7d5e9771160f300bd6745e0f3db003abdd68f93abcc570c7951a0ecbbeed9d7a6a6572e4334369184efe2b3882e117053a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8b0af3a6d20cbc6795e7b20ef5277fa1 |
| SHA1 | 94ff28feb77c1357680385547f02e98e49d2a8da |
| SHA256 | cfb3a77b3253147bd861785834cbb682bd05f12ff668d4715d5a5108af65f87e |
| SHA512 | 4a377a2be6977d898288fa5bad6063dca88a98bcad0966b7da09aa910d15aee3c9e4337582006156824487c1189a1a042abeec86f52a90928bbffe33f5eda45f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 09fe3d49f9e8e5a1e563116117230ec4 |
| SHA1 | a3089988629515f201e81170f5f3bf246aef5e6c |
| SHA256 | 9bacff2046a8041a391d925b9928ee71a04b93bcbcee6212b3998a6ecec04491 |
| SHA512 | 715cde091e1e951578a0a71ecb2023b5a46b33b8248fec9ce58220490da70f3c5320d005ca24e572925c5829c6fa3287f46853cde61439d43eefd4eb64773f16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d544007dbf97f4fb3bcc97cee189ca31 |
| SHA1 | b0a0e02feea0f5d0fdc8e6bc0dd98f48f4c83a6d |
| SHA256 | 0617addd55b531873219d0c4d2bc4b0d0fab932062ef0ac92ff61e784ae075e8 |
| SHA512 | 49883a18ebabbe8a39bb66fc82ecde1d4ea267a738664659879b48210a8dd5b86b671ed23507a62db7f6dd29e8678ad8bd441e182206581a5726859340bb1b6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0efedb4922e7b00e381557d5a98368f6 |
| SHA1 | beb7a60edea414a383b6601caa043891d1dcfd97 |
| SHA256 | 60b871123ba77dab5623141fd1a7171a8725b948ab0987c9815fbbcb01fccf4c |
| SHA512 | 7e0e46486afcefcf339dc56e81d0779c95626462cf1dfadd19b7b4b17efaffad6ad992d211e9dbc652cb31aba8a2d5ccd1541b94cef7dcf9075c09d4984fdf89 |
C:\Users\Admin\AppData\Local\Temp\u4p0.0.exe
| MD5 | 53171755c9957358f9acad9f47430c5d |
| SHA1 | a5c2e5ebeaf4aaafd831036d53da96cf7b83b35d |
| SHA256 | 2f11332d4ac622931ef49c52ad73773bfdd6de5ce833b1fff0362170256e6bc5 |
| SHA512 | ec89bd7a628b9f006d693166d0442bcf6401362175a93abdf80fa674933819d1ab745d85e65cd87d2208b8ed22c3941875bfb9844deba5dfc552d1f11e197369 |
memory/3520-686-0x0000000000290000-0x0000000000744000-memory.dmp
memory/6388-687-0x0000000000400000-0x0000000003005000-memory.dmp
memory/6604-688-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 6184676075afacb9103ae8cbf542c1ed |
| SHA1 | bc757642ad2fcfd6d1da79c0754323cdc823a937 |
| SHA256 | a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b |
| SHA512 | 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa |
memory/6084-749-0x0000000000400000-0x000000000086B000-memory.dmp
memory/6388-759-0x0000000000400000-0x0000000003005000-memory.dmp
memory/6492-763-0x0000000000400000-0x0000000000846000-memory.dmp
memory/6604-776-0x0000000000400000-0x0000000003005000-memory.dmp
memory/3520-779-0x0000000000290000-0x0000000000744000-memory.dmp
memory/7080-791-0x0000000000400000-0x000000000086B000-memory.dmp
memory/1392-806-0x0000000000400000-0x0000000003005000-memory.dmp
memory/3128-808-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\Pictures\wqty4p0TLsiIT9djxk8DmWKM.exe
| MD5 | 806f295ff14699677790ca246cb69864 |
| SHA1 | 5ff2e05176ea77a6a12ed50ac8836757dd342829 |
| SHA256 | 8f1fb3595585747a418c6fc186c36e3c0a98d80cc81c5df56e8faeb5b2421fb6 |
| SHA512 | ecb12e1d799c107f39b998851938b428b1d81906615505aff3ab8426bba06d9d827e29405d8de26761341e57ef38c059d6ec68309df938326771c11dde7175a8 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/3520-873-0x0000000000290000-0x0000000000744000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u5go.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u5go.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/8-1020-0x000000006BAC0000-0x000000006BC3B000-memory.dmp
memory/8-1021-0x00007FFAA21D0000-0x00007FFAA23C5000-memory.dmp
memory/7080-1029-0x0000000000400000-0x000000000086B000-memory.dmp
memory/1392-1030-0x0000000000400000-0x0000000003005000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\u4p0.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u4p0.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
C:\Users\Admin\AppData\Local\Temp\u4p0.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
C:\Users\Admin\AppData\Local\Temp\u4p0.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
memory/5696-1157-0x000000006BAC0000-0x000000006BC3B000-memory.dmp
memory/6084-1165-0x0000000000400000-0x000000000086B000-memory.dmp
memory/5696-1160-0x00007FFAA21D0000-0x00007FFAA23C5000-memory.dmp
memory/6388-1166-0x0000000000400000-0x0000000003005000-memory.dmp
memory/8-1171-0x000000006BAC0000-0x000000006BC3B000-memory.dmp
C:\Users\Admin\Pictures\0Ubkx6TgbJE3KY3i5zpFvo6d.exe
| MD5 | d981fb3fc1f28bea729db051c75dae08 |
| SHA1 | d5eea12045a6d998da1a362f70748fc09874d0b4 |
| SHA256 | aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f |
| SHA512 | a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb |
C:\Users\Admin\AppData\Local\Temp\u5go.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\Users\Admin\Pictures\Xsx2enmMx6SkVYfNR0W59wNb.exe
| MD5 | 69f6614893028c60394f744c7ebc1551 |
| SHA1 | ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd |
| SHA256 | b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d |
| SHA512 | 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | ccce5fc9545cec7332eb053c61a7848d |
| SHA1 | cef400e4e7deffbb1f1e31abb4b3965b7e91c5c6 |
| SHA256 | a5184523dc35238866d81eab1c54e8618cf2ee4e7f55ebbac5d9e7f8bec12be0 |
| SHA512 | 99c6087462f008b994817baf3be00621e3dcad9c9e1faa3223980dc549761b38a54b367cbf54ba4e0323c960d3d239c1b3d07c7c41f12e015946032a4fdc09b2 |
C:\Users\Admin\AppData\Local\Temp\tmp5105.tmp
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Temp\tmp534A.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 9a6383cc1f4421edc559c59c76fea420 |
| SHA1 | c52aecdea66d6571100ce0c064560d5ab1b89dee |
| SHA256 | a3b00d4e582efd8ae46835e1278e7b03141c360a7ae459eca37379da12a32c8a |
| SHA512 | 5eb2ae71602ed464fe3740248743661755f52cf63d6edde0ef9c9cbe395a8979dc44b59367a8c9cd9c4b71b954358e5af296da6bb96d32fe12a0faa5a953eb98 |