Malware Analysis Report

2024-09-11 08:43

Sample ID 240427-cjlqsahg4w
Target 2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1
SHA256 2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1
Tags
amadey evasion trojan redline risepro sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1

Threat Level: Known bad

The file 2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1 was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan redline risepro sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery infostealer persistence rat spyware stealer

RedLine payload

Amadey

SectopRAT

Detect Xworm Payload

ZGRat

Xworm

Stealc

RedLine

RisePro

SectopRAT payload

Detect ZGRat V1

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Stops running service(s)

Blocklisted process makes network request

Reads data files stored by FTP clients

Executes dropped EXE

Reads WinSCP keys stored on the system

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Reads local data of messenger clients

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies system certificate store

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Impair Defenses
T1562
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Service Stop
T1489
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-27 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 02:06

Reported

2024-04-27 02:08

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 400 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 400 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe

"C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp
US 8.8.8.8:53 g.bing.com udp

Files

memory/400-0-0x0000000000560000-0x0000000000A0E000-memory.dmp

memory/400-1-0x0000000076FC4000-0x0000000076FC6000-memory.dmp

memory/400-2-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/400-7-0x0000000004D10000-0x0000000004D11000-memory.dmp

memory/400-6-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/400-4-0x0000000004D20000-0x0000000004D21000-memory.dmp

memory/400-5-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/400-3-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/400-8-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/400-9-0x0000000004D80000-0x0000000004D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 9f56ac0742f5c44783bde32fcb5d7064
SHA1 59d649d6a6490fe0526c3682d109c15b058bbd90
SHA256 2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1
SHA512 d5c4de738284049efe1ab5ceeb98c1829cc4b63aceaedf3f120ba9fb79adba83648f137cc9548244a13cb0c89ba8346ab8e9d9ec78fd47b75196fbfb58fa98e4

memory/400-23-0x0000000000560000-0x0000000000A0E000-memory.dmp

memory/3228-21-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-26-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/3228-25-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/3228-24-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/3228-27-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/3228-29-0x0000000004E70000-0x0000000004E71000-memory.dmp

memory/3228-28-0x0000000004E60000-0x0000000004E61000-memory.dmp

memory/3228-30-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/3228-31-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-32-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-33-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-34-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3724-36-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3724-38-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/3724-39-0x0000000005100000-0x0000000005101000-memory.dmp

memory/3724-37-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/3724-40-0x0000000005090000-0x0000000005091000-memory.dmp

memory/3724-41-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/3724-42-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/3724-43-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/3724-44-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-45-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-46-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-47-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-48-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-49-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-50-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/424-52-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/424-53-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-54-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-55-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-56-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-57-0x0000000000760000-0x0000000000C0E000-memory.dmp

memory/3228-58-0x0000000000760000-0x0000000000C0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 02:06

Reported

2024-04-27 02:08

Platform

win11-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe"

Signatures

Amadey

trojan amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Xworm

trojan rat xworm

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\5aca3099a3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\5aca3099a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\5aca3099a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\1000017002\5aca3099a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameServerClient.exe N/A
N/A N/A C:\Windows\Temp\4729.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameServerClientC.exe N/A
N/A N/A C:\Windows\Temp\615934.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\1000017002\5aca3099a3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\Temp\4729.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\1c60ed5fcc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\1c60ed5fcc.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\5aca3099a3.exe = "C:\\Users\\Admin\\1000017002\\5aca3099a3.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\1000017002\5aca3099a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 4704 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4216 set thread context of 4624 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2584 set thread context of 2464 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2184 set thread context of 3876 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3062789476-783164490-2318012559-1000\{71D89505-DC3D-4149-960F-B94A85E35FA6} C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\1000017002\5aca3099a3.exe N/A
N/A N/A C:\Users\Admin\1000017002\5aca3099a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2548 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2548 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1548 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1548 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1548 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1548 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 1548 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 1548 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 1548 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe
PID 1548 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe
PID 1548 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe
PID 2532 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2532 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3304 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3304 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 2404 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 2404 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe

"C:\Users\Admin\AppData\Local\Temp\2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"

C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe

"C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf976ab58,0x7ffcf976ab68,0x7ffcf976ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:1

C:\Users\Admin\1000017002\5aca3099a3.exe

"C:\Users\Admin\1000017002\5aca3099a3.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3368 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3364 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1804,i,13280162864425730956,134907671271125906,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 900

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 392

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2584 -ip 2584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 400

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClient confirm

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\Temp\4729.exe

"C:\Windows\Temp\4729.exe" --list-devices

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\062789476783_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClientC confirm

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe'

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Windows\Temp\615934.exe

"C:\Windows\Temp\615934.exe" --coin BTC -m ADDRESSES -t 0 --range 373da973a00000000:373da973c00000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Network

Country Destination Domain Proto
RU 193.233.132.139:80 193.233.132.139 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 139.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
GB 172.217.169.46:443 www.youtube.com tcp
NL 173.194.69.84:443 accounts.google.com udp
GB 142.250.187.202:443 content-autofill.googleapis.com tcp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 172.217.16.238:443 accounts.youtube.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 play.google.com tcp
GB 142.250.187.206:443 play.google.com udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 172.67.181.34:443 affordcharmcropwo.shop tcp
US 172.67.185.32:443 cleartotalfisherwo.shop tcp
US 172.67.199.191:443 worryfillvolcawoi.shop tcp
US 104.21.18.233:443 enthusiasimtitleow.shop tcp
US 172.67.205.132:443 dismissalcylinderhostw.shop tcp
US 172.67.211.165:443 diskretainvigorousiw.shop tcp
US 104.21.83.19:443 communicationgenerwo.shop tcp
US 104.21.11.250:443 productivelookewr.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 104.21.47.56:443 pillowbrocccolipe.shop tcp
DE 185.172.128.33:8970 tcp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
RU 185.215.113.67:26260 tcp
US 172.67.192.138:443 liabilitynighstjsko.shop tcp
US 172.67.147.169:443 demonstationfukewko.shop tcp
FR 52.143.157.84:80 52.143.157.84 tcp
RU 77.221.151.47:80 77.221.151.47 tcp
US 172.67.146.180:443 file-drop.cc tcp
GB 142.250.187.195:80 www.gstatic.com tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 208.95.112.1:80 ip-api.com tcp
RU 77.221.151.47:8080 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp
US 8.8.8.8:53 108.254.92.91.in-addr.arpa udp
NL 91.92.254.108:1111 saveclinetsforme68465454711991.publicvm.com tcp
US 104.26.12.31:443 api.ip.sb tcp
RU 77.221.151.47:8080 tcp

Files

memory/2548-0-0x0000000000C40000-0x00000000010EE000-memory.dmp

memory/2548-1-0x0000000077716000-0x0000000077718000-memory.dmp

memory/2548-3-0x00000000056D0000-0x00000000056D1000-memory.dmp

memory/2548-4-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/2548-2-0x00000000056C0000-0x00000000056C1000-memory.dmp

memory/2548-6-0x0000000005690000-0x0000000005691000-memory.dmp

memory/2548-7-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/2548-5-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/2548-10-0x0000000005710000-0x0000000005711000-memory.dmp

memory/2548-9-0x0000000005720000-0x0000000005721000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 9f56ac0742f5c44783bde32fcb5d7064
SHA1 59d649d6a6490fe0526c3682d109c15b058bbd90
SHA256 2219e31e8431ba6470429dd2f920ab0ddceb9fd0f4e13b8cfd5787f6e8cfa7e1
SHA512 d5c4de738284049efe1ab5ceeb98c1829cc4b63aceaedf3f120ba9fb79adba83648f137cc9548244a13cb0c89ba8346ab8e9d9ec78fd47b75196fbfb58fa98e4

memory/2548-22-0x0000000000C40000-0x00000000010EE000-memory.dmp

memory/1548-23-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/1548-28-0x0000000005150000-0x0000000005151000-memory.dmp

memory/1548-27-0x0000000005140000-0x0000000005141000-memory.dmp

memory/1548-26-0x00000000051A0000-0x00000000051A1000-memory.dmp

memory/1548-25-0x0000000005160000-0x0000000005161000-memory.dmp

memory/1548-24-0x0000000005170000-0x0000000005171000-memory.dmp

memory/1548-30-0x00000000051B0000-0x00000000051B1000-memory.dmp

memory/1548-29-0x00000000051C0000-0x00000000051C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

MD5 784c6551ca62374e9dd222f3788e3652
SHA1 6c8304501bb00323baf866a60a4a0d4836e2ae57
SHA256 8da22fffbb67f372b4c77f29ed732e2c1d2da27f16dce59d92f78d0283b6a7c8
SHA512 0f3ac73b3a8edf8303d392610a1ae90f4c54f2ce1997fa298de306a64f96ad7f3e1cff51a8ef629d42b1408c6f91fee1adb2ccdd0be9f9794dd258fd0a55f2e2

memory/2568-48-0x0000000000840000-0x0000000000CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000016001\1c60ed5fcc.exe

MD5 546b9c54b97841a8a5ec0aba61d17464
SHA1 5a5dd667a02e0179108418b71dc69125dcfceec5
SHA256 cc2d3287374bd6e127fe033494911ec97573a464987ff5ee0e021bb3f9a154fd
SHA512 08da3fa00a8aa2d242c35da212415b5ecae5c7e597452adfa32f44ddc4f986f130d5563579b4753f00a734e2e534dc14ae61107caa0d6b2bbc4ac7d718af7871

memory/2568-73-0x0000000000840000-0x0000000000CF4000-memory.dmp

\??\pipe\crashpad_536_DTTOKKCRUZSGHLOZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\1000017002\5aca3099a3.exe

MD5 5863f2a01539d740da53fbb5f813320d
SHA1 d050bfae1b714395f21d661c437551b10bd60853
SHA256 4a3f7364d1ed4ce96ff5a8dc9fecd5beb7e1fc205d1299612a91a16fc6de6116
SHA512 04eb346ada7b199c662089bf98605670149c82a97150bbd8b4c5c8a96e09eb9fe7014a089b39a499729e7076c2e4b55a6491377f25a20b185ce7b474854ba7a5

memory/1920-124-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-138-0x0000000000580000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 3a44d3f9440f093d0e21eab33f87d2bb
SHA1 1848342ff728f4e4f29e3ba84fa5532df1212aec
SHA256 d06a7b9003cdf60fa75ed1c81706e154138b4f859e16dc980c20d4616fe9f94a
SHA512 53568f6cd63c3345c43f986b4953e68340f4352b9f0ebb8416c96ff97f7201d53a29972faf92634ad23d987dcf037362ac06b421fc9de150631ec52365d12560

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 06e80950b19141626e984a891612dfc6
SHA1 7ad0f4c0c1cc1cc089a4bef0ddb94823c9654b54
SHA256 cd62b8e1cbda42022c0c5b300803449e63ced27c1e4c207b96589879ae92abee
SHA512 21584e94b6506f2da9e369fa09f8bee7e6ae6d14d1005a38b7682308fd5b7c0e53f1b293962e571575de34cb2db9fa1b7c6d0dc5535a1f6164d53cadb6de32e7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 52b4f7408ad438ae0dc93e6542b745b6
SHA1 724af8ae9e6df42e8ca236f877580f2db882f192
SHA256 415bc490dd65abe9fbe73704f74cfc0fa42607b2afb46061f82f49675308a85e
SHA512 edc4569fa9d4491b423bb7b618b7c1bede2042ba68697c26800c6ba42ca6c78fea3488f43bff41bf38c39acb8dafd87869e27ff008a296b94e2f5993162bfa20

memory/1920-161-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-164-0x0000000000580000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fb6857c06cbf00ef2d00d7958c53f91c
SHA1 0a2ecdd5b5e59aa6bbb9ec9d1e17e5d687879b88
SHA256 cc7fa1a988ecff3ce64c92bbe50d2e4ae52efb2e1531197ba02e2a29c6c27dac
SHA512 f338a6904e07d14e357c083e0279f44eefc67981307319a585bf961d95c77b33be3ea1c73b38072b7476e3b67b9ca7604db3c067c120584d9daecb49be86c5fd

memory/1920-172-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-175-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-177-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/2360-178-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/2360-180-0x0000000000580000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/2352-200-0x00000000001C0000-0x0000000000212000-memory.dmp

memory/4704-203-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4704-205-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/4624-222-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/4388-244-0x0000000000B30000-0x0000000000B82000-memory.dmp

memory/4388-245-0x0000000005A30000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/4388-255-0x0000000005520000-0x00000000055B2000-memory.dmp

memory/4388-261-0x0000000005510000-0x000000000551A000-memory.dmp

memory/788-262-0x0000000000080000-0x0000000000140000-memory.dmp

memory/2464-266-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2464-279-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp14FA.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4388-282-0x0000000006060000-0x00000000060D6000-memory.dmp

memory/4388-283-0x0000000006920000-0x000000000693E000-memory.dmp

memory/4388-286-0x0000000006F60000-0x0000000007578000-memory.dmp

memory/4388-288-0x0000000006B30000-0x0000000006B42000-memory.dmp

memory/4388-287-0x0000000006BF0000-0x0000000006CFA000-memory.dmp

memory/1920-290-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/4388-291-0x0000000006D00000-0x0000000006D4C000-memory.dmp

memory/4388-289-0x0000000006B90000-0x0000000006BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/3860-327-0x0000000000300000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3062789476-783164490-2318012559-1000\76b53b3ec448f7ccdda2063b15d2bfc3_0c7f3946-7653-4b87-8d45-55ff4293dffb

MD5 4fac8e454bb3b807d860c815453c9169
SHA1 f0f34725bb110d67ca4eb974cd6ceb0367526809
SHA256 83e7b1df6005ca5206f58cb94d0316731e392d766ce953bd0397a447dbebe0b3
SHA512 8f9063214cd148678fcacb1d6b0ad653c106cbd5e41cbf23682d526e89ae6e4123d34ec6824d4fef4f0fa75dbb83a7625afc4f96971a9ab660483180c8b77f05

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 5463d378d354b63b144b060c988149c6
SHA1 ef703dfd37cbc4eb02a71a89ecfa447480fbb7ef
SHA256 37bb82e741b399ce8928c485bacb72be2b043aafcb995555afbd96fa51c2f2e1
SHA512 d3b7f86ffa4aaeea9f92641876fa799f02811dc6094b8ae02e28368052066d9b03d113d7398e1713eb41ae6a0de74d881ef49f3c02eece0db54234689a719d7e

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 48073ac6d405913994030192285e989a
SHA1 ebf54c57db8356cef314928fc8d48516acf8019b
SHA256 dbc1a4dad0687def8c3f7e6d0b95cbfbf8fc1f681b17d6b04f4949aa1a56946c
SHA512 0e28f8313dd568b1f24f8a11c0465a6885048503ad460f933b59feddb62e6f254df3d8e077c8e336ebc5a387520313cecd19917f2045670c970151cd763ec1cb

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/3876-369-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2184-366-0x00000000003A0000-0x00000000003CE000-memory.dmp

memory/3876-372-0x0000000000400000-0x000000000063B000-memory.dmp

memory/788-387-0x000000001BCA0000-0x000000001BD16000-memory.dmp

memory/788-388-0x000000001BC20000-0x000000001BC3E000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 066c5d317f4792dfcd61df2c2dc259a7
SHA1 6bc09a24d00527ad666da1555c65f56bfea59b09
SHA256 bd5ebf265dad577bed2fcc13c904ef23e60aaf3e60fbc1e1b6bbf7546b8b2d82
SHA512 49a26fcce61783bb4c3907276d93b3b43424abf809322e1323e00dd414c6b6ee13096763ad5c3bc0715770cd232a1e9ffe40da9da8fdb88b2b6d1b1037cd7232

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 40fa25506cc8d5b16fcde6f5cccdf292
SHA1 a67a2fc027f3c1cae91f0b46991055a57cf0e1c1
SHA256 c709a8ec2e8ec8873d3a7a1873fe739c2db89e7fe96d7f13fa5ddfae6f00bf7e
SHA512 ac28c03dd09b43e8e2e5b604b992b0967b9e71ebe9a9afb85826433ef0a6350cb070d7731ca69c980199c443c655782d4a4a9aeb1a46cb153a4593e96ff6a581

memory/3596-397-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1548-396-0x0000000000580000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

MD5 6184676075afacb9103ae8cbf542c1ed
SHA1 bc757642ad2fcfd6d1da79c0754323cdc823a937
SHA256 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b
SHA512 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa

C:\Program Files (x86)\GameServerClient\installg.bat

MD5 b6b57c523f3733580d973f0f79d5c609
SHA1 2cc30cfd66817274c84f71d46f60d9e578b7bf95
SHA256 d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570
SHA512 d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

memory/4388-430-0x0000000006E50000-0x0000000006EB6000-memory.dmp

C:\Program Files (x86)\GameServerClient\GameService.exe

MD5 d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1 e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA512 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Local\Temp\1000230001\mstc.exe

MD5 17eefbaaa30123fa3091add80026aed4
SHA1 8e43d736ea03bd33de5434bda5e20aae121cd218
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512 e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

memory/5216-475-0x0000000000B20000-0x0000000000B32000-memory.dmp

memory/3876-478-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

MD5 8c86f762b0f397c522d675dd0aaba51b
SHA1 818d78b083392f5e2659b1ba25e8e1a002496c17
SHA256 a7cd93ac3d16ffaffc865f160a313c0424f2a23e77b4e66a559b447c1953f093
SHA512 16413e283cc4a01d41cc76c2aa956a7da32d2d1497516d5af3186a3171d769830bc87b3c3db1ea1a843b1e303717f02567aa8de11f439783bd06c277f0b05fa7

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

MD5 bf4360d76b38ed71a8ec2391f1985a5f
SHA1 57d28dc8fd4ac052d0ae32ca22143e7b57733003
SHA256 4ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf
SHA512 7b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd

C:\Windows\Temp\4729.exe

MD5 5c9e996ee95437c15b8d312932e72529
SHA1 eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA256 0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512 935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 af03e72baa8467b7338050f9fb5af126
SHA1 e881a849bad336eaab8aa6280659e45129813972
SHA256 6be08257ced253e5b14401f2f2b61a0885a7651035cf5407aa62cd48528b33d3
SHA512 06757fdeae7c1b5f5247083559528531d7f5ffc4c9b6deb2f0e4e67ddd96fa92cabf5306bc144371143cbc161ea577351e0a824826598f301c72f7535071e7b1

C:\Windows\Temp\cudart64_101.dll

MD5 1d7955354884a9058e89bb8ea34415c9
SHA1 62c046984afd51877ecadad1eca209fda74c8cb1
SHA256 111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA512 7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5x5w3ek.ipp.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5600-532-0x0000024F77BA0000-0x0000024F77BC2000-memory.dmp

memory/3860-545-0x0000000007090000-0x00000000070E0000-memory.dmp

memory/5600-547-0x0000024F77BF0000-0x0000024F77BFA000-memory.dmp

memory/5600-546-0x0000024F77C10000-0x0000024F77C22000-memory.dmp

memory/1920-574-0x0000000000920000-0x0000000000EF1000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4388-587-0x0000000008000000-0x00000000081C2000-memory.dmp

memory/4388-588-0x0000000008700000-0x0000000008C2C000-memory.dmp

memory/1548-611-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-612-0x0000000000FE0000-0x0000000001494000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/1920-642-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-643-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-644-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/3596-645-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/5216-646-0x000000001C920000-0x000000001C93E000-memory.dmp

memory/5216-647-0x000000001CC10000-0x000000001CC22000-memory.dmp

memory/5216-648-0x000000001D6D0000-0x000000001D70C000-memory.dmp

memory/1920-649-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/5216-650-0x000000001DA10000-0x000000001DD60000-memory.dmp

memory/1548-651-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/5216-652-0x000000001E280000-0x000000001E442000-memory.dmp

memory/5216-653-0x000000001E980000-0x000000001EEA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9E77.tmp

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmp9EAA.tmp

MD5 138b29af6ec2bbe34e004ce3343d5a00
SHA1 4baa218636ecd58cc6a6f4acbf6b2af3c91a7032
SHA256 305650b63c382d5c6a4c69ab276f6be3b5b52921727f46fb9d70df8be0ddf603
SHA512 7c3d85f62bb5a651157eab639b61f62c730bde8ddb353a5537b132df30e1b4cac94332d9756109a76add1d165cc61e82020dabbba299211a04f880c937507da3

C:\Users\Admin\AppData\Local\Temp\tmp9EE2.tmp

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

C:\Users\Admin\AppData\Local\Temp\tmp9EDD.tmp

MD5 22be08f683bcc01d7a9799bbd2c10041
SHA1 2efb6041cf3d6e67970135e592569c76fc4c41de
SHA256 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA512 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

C:\Users\Admin\AppData\Local\Temp\tmp9ED7.tmp

MD5 14ccc9293153deacbb9a20ee8f6ff1b7
SHA1 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA256 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

C:\Users\Admin\AppData\Local\Temp\tmp9F2C.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/3596-832-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1920-833-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-834-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-835-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1920-836-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-837-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-838-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/564-839-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/564-841-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/1920-843-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-844-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-845-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1920-847-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-848-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-849-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1920-850-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-851-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-852-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1920-853-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-854-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-855-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1920-856-0x0000000000920000-0x0000000000EF1000-memory.dmp

memory/1548-857-0x0000000000580000-0x0000000000A2E000-memory.dmp

memory/3596-858-0x0000000000FE0000-0x0000000001494000-memory.dmp

memory/1920-859-0x0000000000920000-0x0000000000EF1000-memory.dmp