Malware Analysis Report

2024-12-08 01:45

Sample ID 240427-ll8g1agd9w
Target 70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521
SHA256 70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521
Tags
amadey evasion trojan glupteba redline risepro sectoprat stealc zgrat @cloudytteam test1234 discovery dropper infostealer loader persistence rat rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521

Threat Level: Known bad

The file 70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521 was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan glupteba redline risepro sectoprat stealc zgrat @cloudytteam test1234 discovery dropper infostealer loader persistence rat rootkit spyware stealer

Amadey

RedLine

Stealc

SectopRAT payload

RisePro

Detect ZGRat V1

Glupteba

ZGRat

Glupteba payload

SectopRAT

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Blocklisted process makes network request

Reads data files stored by FTP clients

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Reads local data of messenger clients

Checks computer location settings

Reads WinSCP keys stored on the system

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Unsigned PE

Program crash

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 09:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 09:38

Reported

2024-04-27 09:40

Platform

win10v2004-20240419-en

Max time kernel

143s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe

"C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp
US 8.8.8.8:53 g.bing.com udp

Files

memory/1480-0-0x0000000000BD0000-0x0000000001069000-memory.dmp

memory/1480-1-0x0000000077AF4000-0x0000000077AF6000-memory.dmp

memory/1480-2-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/1480-6-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/1480-7-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/1480-5-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/1480-3-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/1480-4-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/1480-8-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/1480-9-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 6d8def0dc0ce644aef2473a994dd6474
SHA1 41613dc0f9578479fe1e817f19a87e096fce28cb
SHA256 70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521
SHA512 8da75de763ad1080885a10c769ecd871b6e235ef3bbd2df7795d030e43e5b127439e815b96b89b006d69efe80346d57ab38d11bfcfde17c452b6162b076ceaa6

memory/1480-22-0x0000000000BD0000-0x0000000001069000-memory.dmp

memory/4436-23-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-30-0x0000000004F30000-0x0000000004F31000-memory.dmp

memory/4436-29-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/4436-28-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/4436-27-0x0000000004F40000-0x0000000004F41000-memory.dmp

memory/4436-26-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/4436-25-0x0000000004F10000-0x0000000004F11000-memory.dmp

memory/4436-24-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/4436-32-0x0000000004F50000-0x0000000004F51000-memory.dmp

memory/4436-31-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/4436-33-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-34-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-35-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-36-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4332-38-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4332-41-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/4332-42-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/4332-40-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/4332-39-0x00000000053B0000-0x00000000053B1000-memory.dmp

memory/4332-43-0x0000000005380000-0x0000000005381000-memory.dmp

memory/4332-44-0x0000000005390000-0x0000000005391000-memory.dmp

memory/4332-45-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-46-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-47-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-48-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-49-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-50-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-51-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/2656-53-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-54-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-55-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-56-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-57-0x0000000000310000-0x00000000007A9000-memory.dmp

memory/4436-58-0x0000000000310000-0x00000000007A9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 09:38

Reported

2024-04-27 09:40

Platform

win11-20240426-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\a49844508d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\a49844508d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\a49844508d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\1000017002\a49844508d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.0.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameServerClient.exe N/A
N/A N/A C:\Windows\Temp\380908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameServerClient\GameServerClientC.exe N/A
N/A N/A C:\Windows\Temp\464275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\1000017002\a49844508d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\24d00cd080.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\24d00cd080.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\a49844508d.exe = "C:\\Users\\Admin\\1000017002\\a49844508d.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1230210488-3096403634-4129516247-1000\{16C707BE-FF67-497F-9937-B0F5A83CE941} C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\1000017002\a49844508d.exe N/A
N/A N/A C:\Users\Admin\1000017002\a49844508d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 992 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 992 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 992 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1008 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1008 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1008 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1008 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 1008 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 1008 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 1008 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe
PID 1008 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe
PID 1008 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe
PID 2016 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2016 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 2852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 2852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 3408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 4852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 4852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3788 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe

"C:\Users\Admin\AppData\Local\Temp\70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"

C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe

"C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb7002ab58,0x7ffb7002ab68,0x7ffb7002ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3828 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:1

C:\Users\Admin\1000017002\a49844508d.exe

"C:\Users\Admin\1000017002\a49844508d.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3264 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4428 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1784,i,9834984725768430797,3212915888013524791,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 884

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2088 -ip 2088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 356

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3024 -ip 3024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 372

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClient

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\u3ao.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3ao.0.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClient confirm

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\230210488309_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\Temp\380908.exe

"C:\Windows\Temp\380908.exe" --list-devices

C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe

"C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 1596

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClientC confirm

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Windows\Temp\464275.exe

"C:\Windows\Temp\464275.exe" --coin BTC -m ADDRESSES -t 0 --range 38907975a00000000:38907975c00000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
RU 193.233.132.139:80 193.233.132.139 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 139.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
GB 216.58.201.110:443 www.youtube.com tcp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 172.217.16.238:443 accounts.youtube.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 play.google.com tcp
GB 142.250.187.206:443 play.google.com udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 104.21.67.211:443 affordcharmcropwo.shop tcp
US 104.21.72.132:443 cleartotalfisherwo.shop tcp
US 172.67.199.191:443 worryfillvolcawoi.shop tcp
US 172.67.183.226:443 enthusiasimtitleow.shop tcp
US 172.67.205.132:443 dismissalcylinderhostw.shop tcp
US 172.67.211.165:443 diskretainvigorousiw.shop tcp
US 172.67.166.251:443 communicationgenerwo.shop tcp
US 172.67.144.218:443 pillowbrocccolipe.shop tcp
DE 185.172.128.33:8970 tcp
US 104.21.11.250:443 productivelookewr.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
US 104.21.95.19:443 shatterbreathepsw.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 172.67.216.69:443 shortsvelventysjo.shop tcp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 104.21.33.174:443 demonstationfukewko.shop tcp
RU 185.215.113.67:26260 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
FR 52.143.157.84:80 52.143.157.84 tcp
RU 77.221.151.47:80 77.221.151.47 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RO 176.97.76.106:80 note.padd.cn.com tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 20.157.87.45:80 svc.iolo.com tcp
RU 77.221.151.47:8080 tcp
DE 185.172.128.76:80 185.172.128.76 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
FR 143.244.56.50:443 download.iolo.net tcp
US 104.21.84.71:443 parrotflight.com tcp
US 172.67.197.33:443 junglethomas.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:15647 tcp
DE 185.172.128.76:80 185.172.128.76 tcp
RU 91.215.85.66:9000 91.215.85.66 tcp
RU 77.221.151.47:8080 tcp
DE 185.172.128.76:80 185.172.128.76 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp

Files

memory/992-0-0x00000000001B0000-0x0000000000649000-memory.dmp

memory/992-1-0x0000000077786000-0x0000000077788000-memory.dmp

memory/992-3-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/992-6-0x0000000004E10000-0x0000000004E11000-memory.dmp

memory/992-5-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/992-4-0x0000000004E60000-0x0000000004E61000-memory.dmp

memory/992-2-0x0000000004E30000-0x0000000004E31000-memory.dmp

memory/992-7-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/992-8-0x0000000004E80000-0x0000000004E81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 6d8def0dc0ce644aef2473a994dd6474
SHA1 41613dc0f9578479fe1e817f19a87e096fce28cb
SHA256 70793e74cde4434d497c9a78044bc478b920061a460d142e09805c0ee04c4521
SHA512 8da75de763ad1080885a10c769ecd871b6e235ef3bbd2df7795d030e43e5b127439e815b96b89b006d69efe80346d57ab38d11bfcfde17c452b6162b076ceaa6

memory/992-19-0x00000000001B0000-0x0000000000649000-memory.dmp

memory/1008-22-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/1008-23-0x0000000005390000-0x0000000005391000-memory.dmp

memory/1008-25-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/1008-27-0x0000000005370000-0x0000000005371000-memory.dmp

memory/1008-26-0x0000000005360000-0x0000000005361000-memory.dmp

memory/1008-24-0x0000000005380000-0x0000000005381000-memory.dmp

memory/1008-29-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/1008-28-0x00000000053F0000-0x00000000053F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

MD5 9ce285bf1248446ef5d3ffba4640503a
SHA1 9e48b5b24b984ebe75dfce4357b3f17575e59b61
SHA256 dbf4ec8d45c1b2eace3779101fec50b7b1b73dbacdc4a7afc6a0715bfccbe576
SHA512 c1475d60020571bc17fe3a744f4bad633102b81c14e4344fd24a8d28bd4bdf1811cacf4feae3687f28fd1d330526e398d8b897559a3c255b836d2dde3ed2e2ee

memory/4248-47-0x00000000009F0000-0x0000000000EA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000016001\24d00cd080.exe

MD5 77a0e57d1349170b2ef0f242b33cb960
SHA1 919a8b38294dec375319fca5d8d418edc4858997
SHA256 472b2266e448299bdda20e20fa4e2d8c54b2fe93e909f16dea8cd08c3c877f73
SHA512 3d8b26c0d6157b636a8aabef74a63879f9c7e1551b66267918211c09b33ffa31e582d836b480bf9497c4f1f2cd23e5145b53ff5de66d3ccf4daabdd12076c5ca

memory/4248-72-0x00000000009F0000-0x0000000000EA9000-memory.dmp

\??\pipe\crashpad_3788_BBOCUTJRUYJASDUV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\1000017002\a49844508d.exe

MD5 66e6f75ae0ed0e7558e18299753241e6
SHA1 58a19ee854ad62f79a64ed375faa663c2bdc7c80
SHA256 c17ce59eabd21804b2c45c1c175fa11560c335f9bc26b9f6dc3a6a84c9bc1086
SHA512 e328dbac8cfab28b076f6e90f24a2ad6390c7651d31e2f8b4e5bbd47b348cbd7fc2e558389a5cf10c3c8397af9634fd8a4856b8b3647ffc5a4c984bae133d689

memory/2032-122-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/1008-137-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/1008-144-0x0000000000930000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e6b09d2e81195fede4938cf5984a6579
SHA1 07dfbb53cf684d89001217c9c04e910ca1e31249
SHA256 98d7d5fa30e6d680797962ea54e857fb549778a560c55dc72cb70874351ce0b8
SHA512 63c85024a6f6dad07ee31b6f4f74fddfbbf9b3b76d7c8c47a69c19d3737c02e5ca1895e4209dc854a3aea383f75dcdfd200db22c45879d0f72fe40c24c58512f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7d23703445a8cce68b707171e16bf82c
SHA1 d47358a29dd1763d2b6a676270bda3f505882162
SHA256 35c5aa2e1a5f1894cf5aa5725f47f43ea019559708acddbd45c7a7dc7f0bd902
SHA512 9b8869d40c69b566f75585621360a6eda85dfc1dab976b9b0602ab33f144f2b844882050cefffb6f3c0bceb29aa6c982559c6e921db66559939e505ac132d1af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 5eed75efd87776240b6eef0f1f90ffc3
SHA1 2f727ee597828c2a2309a9140f0110ebfe5bc419
SHA256 861fd151856041900fb93cedb6056dce21086ecbdb528f620c12a63f3e9ea851
SHA512 37d0cc9132ae59f3e28bb322600cd19ac632ae9f193f6814bedce266ac0def8a5dcd6b4fecc4840718f199eab49978c895493cdd734c51249f904de81edb5c52

memory/2032-160-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/1008-161-0x0000000000930000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 02884b9d31348f6ecc51bc805eff6567
SHA1 2e87537c4b7fedaaa9c6b74831fc1130916f8fea
SHA256 71d7d491ce0a69a129047e8314d563ad3b9ea5e1c4f62625ec8dd6c1445ba8af
SHA512 32ca13a0ab2ac1f95cc998f5dfc6f9a5cd98780c44695f9e585835008e261a7ab177b3d0a1f1b489a260f878b81d6bf871bde80b6ba5ad45057730314875cbdd

memory/2032-167-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/1008-168-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/1040-171-0x0000000000FA0000-0x0000000001459000-memory.dmp

memory/2068-173-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/2068-174-0x0000000000930000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/3572-194-0x00000000002B0000-0x0000000000302000-memory.dmp

memory/3824-197-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3824-199-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/4644-216-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/564-237-0x00000000007E0000-0x0000000000832000-memory.dmp

memory/564-239-0x0000000005700000-0x0000000005CA6000-memory.dmp

memory/564-240-0x0000000005230000-0x00000000052C2000-memory.dmp

memory/1732-242-0x00000000000B0000-0x0000000000170000-memory.dmp

memory/564-243-0x00000000051C0000-0x00000000051CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpEEC5.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/564-258-0x0000000005D30000-0x0000000005DA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/564-268-0x00000000065E0000-0x00000000065FE000-memory.dmp

memory/564-278-0x0000000006D60000-0x0000000007378000-memory.dmp

memory/1520-281-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1520-282-0x0000000000400000-0x000000000044E000-memory.dmp

memory/564-283-0x0000000006850000-0x000000000688C000-memory.dmp

memory/564-284-0x00000000069C0000-0x0000000006A0C000-memory.dmp

memory/564-280-0x00000000067F0000-0x0000000006802000-memory.dmp

memory/564-279-0x00000000068B0000-0x00000000069BA000-memory.dmp

memory/2032-285-0x0000000000D70000-0x0000000001340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe

MD5 a1c4092f2e4092559b110d9c2c5909bb
SHA1 2a7787c4ab18aaf68889988f65dc8d4a3a1b4080
SHA256 f898ac11a5a1fd95a668da18525a9eb6b1cebc7288272747ad354f05e18e771b
SHA512 bf3ca30ac177381ec326b19e507398f7d0ea669a1c1f60ea286cb30087ddaecac18b044555d2f8ab3534cda9be6ae33bf491473f48256a1e4bc941a9beb008f9

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/3504-341-0x0000000000500000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1230210488-3096403634-4129516247-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bb42cecb-ddb7-43e2-9d9f-40e8c5d10e5c

MD5 5a34af2150758a7049d51b98f661c0bb
SHA1 a5261db6f913d60f45c84f296757676920268c3e
SHA256 c919ace0eaf5ea6b487121ef7aa07a5f941ff2e53119c3574a54a606fc6dd350
SHA512 a4064e514f5cd0e341dc915bf52106b3d0f2635c24d2fb3d8661e57a4fe163eae65f0bc305c558cefe0307d19fb2a457cdee654fed1bdb12d4d9c3135e1660c7

memory/1732-371-0x000000001BC40000-0x000000001BCB6000-memory.dmp

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 ed101832ceaee42ec4357f5bdc136bc3
SHA1 555976e70e434e3946b3c824eabaa6ecba896346
SHA256 d5e0a74939b5130bc370b13e2f8b51086af2638ed4ec5b8fb37a297247ebdaa3
SHA512 4e7d9a9deb3354f2db760ce70b108e0e7da055d8fc7a873d5c4ef3d290f1d419c278e2d2ea57e8ab7863bbfb8e85387bb28a178f2db0a16014e0578039b928d8

memory/1732-376-0x000000001BEC0000-0x000000001BEDE000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 efa296fc2eb40f11a5597c7c7b4d0189
SHA1 cc94acc5b60e2539935f09e6381bf3eaa2f4852c
SHA256 f4ae3573adfadd441ea2a348f9a4a5be5aaef593aa174940e6f9490cbadddfaa
SHA512 fe2511752a43f99ca4604130edf0bc4bd5e68a79fac5d358b1db1e395271e2ea409b3c01ce0c677bbce52b1e6c8a0f61e4e50afee8b614e42a56475bac1bd7e3

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/1564-403-0x0000000000270000-0x000000000029E000-memory.dmp

memory/3052-406-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3052-409-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1040-411-0x0000000000FA0000-0x0000000001459000-memory.dmp

memory/1008-410-0x0000000000930000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

MD5 6184676075afacb9103ae8cbf542c1ed
SHA1 bc757642ad2fcfd6d1da79c0754323cdc823a937
SHA256 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b
SHA512 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa

memory/564-440-0x0000000006B10000-0x0000000006B76000-memory.dmp

memory/3052-443-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

MD5 33c414dc6867473b8593f68fcff64efc
SHA1 60474a1232091cb41f121ed18514cda28be54fb0
SHA256 9341ff0fa9d02f90ff8dbaea353411364fa86f71fc4c5de3e87412f1f380eebd
SHA512 ba5a2cfb4100d9c0f781fe84afae7ce3d9e39f87c952d2237e97f513456a2411f9b4a7616592b0d7e5f47d6e44b8996d51a8effd1770ace86136fa4212f34977

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 bfd6d07e0eed27e7aaf52f0d355c9594
SHA1 974f8646dd455b1cd911783390f31d5b2d69546c
SHA256 10ad924ec366722301345d79b4154e9db7548afadb3f708c9b9d2b6f431110cb
SHA512 7b786bd8cd5aa4001217e04fafb2d251662d3e9a4d798065f1977fe207752308112ff325279722619f766d456887d41f0350c3116cff3f0fc81e90069969b1c4

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Program Files (x86)\GameServerClient\installg.bat

MD5 b6b57c523f3733580d973f0f79d5c609
SHA1 2cc30cfd66817274c84f71d46f60d9e578b7bf95
SHA256 d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570
SHA512 d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

C:\Users\Admin\AppData\Local\Temp\u3ao.0.exe

MD5 28a717becacd1e18c7b86d8b8ab3e339
SHA1 9d60947d27523baea3448005bf10302e748cb5bf
SHA256 18b00bdd809fac8be30eed2290fd26001f412702bf68dfc26749a8761822238e
SHA512 3c9e260259c3dec8266b3f82551321eed3d6e73fe9072bb3057f805b9915c7a9e56190ad776f13fc546f02aa4c77aa99267c1667987cf67afca1f95dffeef46a

C:\Program Files (x86)\GameServerClient\GameService.exe

MD5 d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1 e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA512 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

C:\Users\Admin\AppData\Local\Temp\u3ao.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\u3ao.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u3ao.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/5920-614-0x000000006BA90000-0x000000006BC0D000-memory.dmp

memory/564-612-0x0000000007480000-0x00000000074D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3ao.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\u3ao.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u3ao.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/5920-615-0x00007FFB7F840000-0x00007FFB7FA49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axd4wo2o.keo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5968-633-0x000001F6AAD70000-0x000001F6AAD92000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2032-655-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/5968-656-0x000001F6AAE00000-0x000001F6AAE12000-memory.dmp

memory/5968-657-0x000001F6AADF0000-0x000001F6AADFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3ao.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3504-674-0x0000000007780000-0x0000000007942000-memory.dmp

memory/3504-675-0x0000000007E80000-0x00000000083AC000-memory.dmp

memory/4272-677-0x0000000000400000-0x0000000002B21000-memory.dmp

memory/1008-689-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/1040-690-0x0000000000FA0000-0x0000000001459000-memory.dmp

memory/5920-691-0x000000006BA90000-0x000000006BC0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/5320-697-0x0000000000400000-0x0000000002AFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0e0ac077206e293d62410caaab40deb0
SHA1 90be2ace74e7cc1b34f786ee7c3599b9a6e87505
SHA256 5fcf87fd32f4f4a2e29577c54c082556a7616b48be5019606c495d2661f1499d
SHA512 3dbe024ba4b40d52d1298a5a4b0116a970ad70de2bb4813ab40f7fd30f027be835301a08ea81edd6024fa6f8556a11e8563d71b0c84cdecb154e562e11387543

memory/6004-723-0x00007FFB7F840000-0x00007FFB7FA49000-memory.dmp

memory/2032-725-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/1008-732-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/5440-733-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 07d4cbfe9fdaa0433b9126a435518617
SHA1 1e7381bc7531f276cb9f10db07deb64a4895e51a
SHA256 1144420baf1f5f197b068e5704e623e9207185d89549529886a9fa87ee915f59
SHA512 c3f70357cf2b885a0d0e6cfaf95a648d36bd0502b6e686c56d7a03fa1342ed3b75cccedc4ed396a494e3b6dd405727b545d1cb0521b6a738fc950b1b74ce1ee1

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 9c259fc24f6777b35cd593bb9430914a
SHA1 d3211c27a12f2ff04597c5558a4f27a4ed5e8657
SHA256 b7472783dacc12aa47d45cb5315122097e64c102ff3806823dfac6d4eaba46a6
SHA512 de55eaad24a87d37165d09cc737eff9bce980db46160ccaedb140095af4822c5da359d16cc681936890f08b2dc3f2459b82b791183ae967b4d63fb8a01912788

memory/5440-763-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2944-764-0x0000028A9C1D0000-0x0000028A9FAC8000-memory.dmp

memory/5828-766-0x0000000002550000-0x0000000002586000-memory.dmp

memory/2944-765-0x0000028ABA320000-0x0000028ABA430000-memory.dmp

memory/2944-767-0x0000028A9FF30000-0x0000028A9FF40000-memory.dmp

memory/2944-768-0x0000028AA1980000-0x0000028AA198C000-memory.dmp

memory/2944-769-0x0000028AA1970000-0x0000028AA1984000-memory.dmp

memory/1040-770-0x0000000000FA0000-0x0000000001459000-memory.dmp

memory/5828-772-0x0000000005090000-0x00000000056BA000-memory.dmp

memory/1040-773-0x0000000000FA0000-0x0000000001459000-memory.dmp

memory/2944-771-0x0000028AA19F0000-0x0000028AA1A14000-memory.dmp

memory/5828-776-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/5828-774-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/5828-784-0x00000000058E0000-0x0000000005C37000-memory.dmp

memory/5828-785-0x0000000005D60000-0x0000000005D7E000-memory.dmp

memory/5828-786-0x0000000005E10000-0x0000000005E5C000-memory.dmp

memory/2944-788-0x0000028ABA260000-0x0000028ABA312000-memory.dmp

memory/2944-787-0x0000028AA1A20000-0x0000028AA1A2A000-memory.dmp

memory/2944-790-0x0000028ABA5B0000-0x0000028ABA62A000-memory.dmp

memory/2944-791-0x0000028ABA630000-0x0000028ABA692000-memory.dmp

memory/2944-789-0x0000028ABA580000-0x0000028ABA5AA000-memory.dmp

memory/2944-792-0x0000028AA1940000-0x0000028AA194A000-memory.dmp

memory/2944-796-0x0000028ABA790000-0x0000028ABAA90000-memory.dmp

memory/5828-798-0x0000000006F80000-0x0000000006FB4000-memory.dmp

memory/5828-799-0x0000000072BB0000-0x0000000072BFC000-memory.dmp

memory/5828-800-0x0000000072C00000-0x0000000072F57000-memory.dmp

memory/5828-809-0x0000000006FC0000-0x0000000006FDE000-memory.dmp

memory/5828-810-0x0000000006FE0000-0x0000000007084000-memory.dmp

memory/5828-812-0x0000000007110000-0x000000000712A000-memory.dmp

memory/5828-811-0x0000000007760000-0x0000000007DDA000-memory.dmp

memory/5828-813-0x0000000007190000-0x000000000719A000-memory.dmp

memory/2944-814-0x0000028ABF1C0000-0x0000028ABF1C8000-memory.dmp

memory/2944-815-0x0000028ABEB00000-0x0000028ABEB38000-memory.dmp

memory/2944-816-0x0000028ABEAD0000-0x0000028ABEADE000-memory.dmp

memory/5828-817-0x00000000073B0000-0x0000000007446000-memory.dmp

memory/5828-819-0x0000000007310000-0x0000000007321000-memory.dmp

memory/2944-820-0x0000028ABF470000-0x0000028ABF492000-memory.dmp

memory/2944-818-0x0000028ABF460000-0x0000028ABF46A000-memory.dmp

memory/2944-821-0x0000028ABF9C0000-0x0000028ABFEE8000-memory.dmp

memory/2944-825-0x0000028ABF1E0000-0x0000028ABF1EC000-memory.dmp

memory/2944-824-0x0000028ABF230000-0x0000028ABF280000-memory.dmp

memory/5828-826-0x0000000007340000-0x000000000734E000-memory.dmp

memory/5828-827-0x0000000007350000-0x0000000007365000-memory.dmp

memory/5828-828-0x0000000007390000-0x00000000073AA000-memory.dmp

memory/5828-829-0x0000000007450000-0x0000000007458000-memory.dmp

memory/6004-832-0x000000006BA90000-0x000000006BC0D000-memory.dmp

memory/3416-833-0x0000000000400000-0x0000000002EDF000-memory.dmp

memory/1008-836-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/2032-837-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/4260-839-0x000000006E710000-0x000000006FA27000-memory.dmp

memory/1040-842-0x0000000000FA0000-0x0000000001459000-memory.dmp

memory/4260-843-0x0000000001300000-0x00000000013C6000-memory.dmp

memory/4260-844-0x00000000059E0000-0x00000000059EA000-memory.dmp

memory/2032-846-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/1008-847-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/1040-848-0x0000000000FA0000-0x0000000001459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA6EB.tmp

MD5 22be08f683bcc01d7a9799bbd2c10041
SHA1 2efb6041cf3d6e67970135e592569c76fc4c41de
SHA256 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA512 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

memory/5320-861-0x0000000000400000-0x0000000002AFC000-memory.dmp

memory/5268-870-0x0000000005BF0000-0x0000000005F47000-memory.dmp

memory/5268-871-0x00000000064F0000-0x000000000653C000-memory.dmp

memory/5268-872-0x0000000072C10000-0x0000000072C5C000-memory.dmp

memory/2032-885-0x0000000000D70000-0x0000000001340000-memory.dmp

memory/2384-886-0x0000000000400000-0x0000000002EDF000-memory.dmp

memory/1008-908-0x0000000000930000-0x0000000000DC9000-memory.dmp

memory/1040-931-0x0000000000FA0000-0x0000000001459000-memory.dmp

memory/2032-936-0x0000000000D70000-0x0000000001340000-memory.dmp