Malware Analysis Report

2024-12-08 01:48

Sample ID 240427-w6yteaef3w
Target 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa
SHA256 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa
Tags
amadey evasion trojan glupteba redline risepro sectoprat stealc zgrat @cloudytteam test1234 discovery dropper infostealer loader persistence rat rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa

Threat Level: Known bad

The file 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan glupteba redline risepro sectoprat stealc zgrat @cloudytteam test1234 discovery dropper infostealer loader persistence rat rootkit spyware stealer

RisePro

Stealc

RedLine payload

Detect ZGRat V1

SectopRAT payload

Glupteba payload

Amadey

SectopRAT

ZGRat

RedLine

Glupteba

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Reads local data of messenger clients

Reads WinSCP keys stored on the system

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Identifies Wine through registry keys

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 18:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 18:32

Reported

2024-04-27 18:35

Platform

win10v2004-20240419-en

Max time kernel

143s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe

"C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp
US 8.8.8.8:53 g.bing.com udp

Files

memory/4092-0-0x0000000000090000-0x000000000053D000-memory.dmp

memory/4092-1-0x00000000778F4000-0x00000000778F6000-memory.dmp

memory/4092-2-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/4092-6-0x00000000049E0000-0x00000000049E1000-memory.dmp

memory/4092-7-0x00000000049F0000-0x00000000049F1000-memory.dmp

memory/4092-5-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/4092-4-0x0000000004A00000-0x0000000004A01000-memory.dmp

memory/4092-3-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/4092-10-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/4092-9-0x0000000004A70000-0x0000000004A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 c6c67eb559da36d1059124e4f58f5693
SHA1 98660ff111c1632bc86e96630122cd819593de60
SHA256 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa
SHA512 e1378319c487ecdd24541ca374465363c074831cb06fcbc8bf72512d9df7d77a66a5857e829bbdd1e4e3abe377668e93fa1418f6ff54effb72cefc823d09ccbb

memory/4092-22-0x0000000000090000-0x000000000053D000-memory.dmp

memory/3460-23-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-25-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/3460-26-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/3460-24-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/3460-28-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/3460-27-0x0000000005080000-0x0000000005081000-memory.dmp

memory/3460-30-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/3460-29-0x0000000005090000-0x0000000005091000-memory.dmp

memory/3460-32-0x0000000005100000-0x0000000005101000-memory.dmp

memory/3460-31-0x0000000005110000-0x0000000005111000-memory.dmp

memory/3460-33-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/1080-35-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-36-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/1080-37-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/1080-42-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/1080-41-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/1080-40-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/1080-39-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/1080-38-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/1080-43-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-44-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-45-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-46-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-47-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-48-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-49-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/4940-51-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/4940-52-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-53-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-54-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-55-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-56-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-57-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-58-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/5012-60-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/5012-61-0x0000000000A10000-0x0000000000EBD000-memory.dmp

memory/3460-62-0x0000000000A10000-0x0000000000EBD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 18:32

Reported

2024-04-27 18:35

Platform

win11-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\9b16ff0cfd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\9b16ff0cfd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\9b16ff0cfd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\1000017002\9b16ff0cfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\1000017002\9b16ff0cfd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1080f4ac44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\1080f4ac44.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\9b16ff0cfd.exe = "C:\\Users\\Admin\\1000017002\\9b16ff0cfd.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1696768468-2170909707-4198977321-1000\{301419F8-90A5-4B39-B71B-3F9DDB7D61F1} C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\1000017002\9b16ff0cfd.exe N/A
N/A N/A C:\Users\Admin\1000017002\9b16ff0cfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 3912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 3912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2772 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2772 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2772 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2772 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2772 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2772 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2772 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe
PID 2772 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe
PID 2772 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe
PID 2824 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2824 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 1692 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 1692 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3572 wrote to memory of 3668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe

"C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"

C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe

"C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb02e8ab58,0x7ffb02e8ab68,0x7ffb02e8ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3220 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4472 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8

C:\Users\Admin\1000017002\9b16ff0cfd.exe

"C:\Users\Admin\1000017002\9b16ff0cfd.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 888

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 404

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 5128 -ip 5128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 396

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5256 -ip 5256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 384

C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe

"C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"

C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\696768468217_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe

"C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5704 -ip 5704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1516

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5828 -ip 5828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 2100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Network

Country Destination Domain Proto
RU 193.233.132.139:80 193.233.132.139 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 139.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com tcp
NL 173.194.69.84:443 accounts.google.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 172.217.16.238:443 accounts.youtube.com udp
N/A 224.0.0.251:5353 udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 104.21.67.211:443 affordcharmcropwo.shop tcp
US 172.67.185.32:443 cleartotalfisherwo.shop tcp
US 172.67.199.191:443 worryfillvolcawoi.shop tcp
US 172.67.183.226:443 enthusiasimtitleow.shop tcp
US 104.21.22.160:443 dismissalcylinderhostw.shop tcp
US 104.21.23.143:443 diskretainvigorousiw.shop tcp
US 104.21.83.19:443 communicationgenerwo.shop tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com udp
US 172.67.144.218:443 pillowbrocccolipe.shop tcp
US 172.67.150.207:443 productivelookewr.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.33:8970 tcp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 104.21.95.19:443 shatterbreathepsw.shop tcp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
RU 194.87.210.219:80 file-host-host0.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 172.67.218.63:443 incredibleextedwj.shop tcp
RU 185.215.113.67:26260 tcp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 172.67.192.138:443 liabilitynighstjsko.shop tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 104.21.84.71:443 parrotflight.com tcp
FR 52.143.157.84:80 52.143.157.84 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 104.21.33.174:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 104.21.92.190:443 junglethomas.com tcp
DE 185.172.128.228:80 185.172.128.228 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 20.157.87.45:80 svc.iolo.com tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 172.67.155.93:443 palmeventeryjusk.shop tcp
US 104.21.75.133:443 entitlementappwo.shop tcp
US 172.67.145.57:443 economicscreateojsu.shop tcp
US 104.21.70.22:443 pushjellysingeywus.shop tcp
US 172.67.135.202:443 absentconvicsjawun.shop tcp
US 172.67.214.60:443 suitcaseacanehalk.shop tcp
DE 185.172.128.62:80 185.172.128.62 tcp
US 104.21.9.123:443 bordersoarmanusjuw.shop tcp
US 104.21.22.58:443 mealplayerpreceodsju.shop tcp
US 104.21.52.82:443 wifeplasterbakewis.shop tcp
FR 185.93.2.245:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:15647 tcp
US 104.20.4.235:443 pastebin.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 172.67.221.71:443 carsalessystem.com tcp
RU 91.215.85.66:15647 tcp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp

Files

memory/3912-0-0x0000000000240000-0x00000000006ED000-memory.dmp

memory/3912-1-0x0000000077DB6000-0x0000000077DB8000-memory.dmp

memory/3912-3-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/3912-2-0x00000000052E0000-0x00000000052E1000-memory.dmp

memory/3912-4-0x0000000005310000-0x0000000005311000-memory.dmp

memory/3912-5-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/3912-6-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/3912-8-0x0000000005340000-0x0000000005341000-memory.dmp

memory/3912-9-0x0000000005330000-0x0000000005331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 c6c67eb559da36d1059124e4f58f5693
SHA1 98660ff111c1632bc86e96630122cd819593de60
SHA256 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa
SHA512 e1378319c487ecdd24541ca374465363c074831cb06fcbc8bf72512d9df7d77a66a5857e829bbdd1e4e3abe377668e93fa1418f6ff54effb72cefc823d09ccbb

memory/3912-21-0x0000000000240000-0x00000000006ED000-memory.dmp

memory/2772-22-0x0000000000490000-0x000000000093D000-memory.dmp

memory/2772-25-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/2772-28-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

memory/2772-27-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/2772-26-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/2772-23-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

memory/2772-24-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/2772-30-0x0000000004E40000-0x0000000004E41000-memory.dmp

memory/2772-29-0x0000000004E50000-0x0000000004E51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

MD5 1bd74ec32d03840b8c1771d9ad21581b
SHA1 7e98aa9a833f87fe6b47bccae7cd9b9f9dce5ac4
SHA256 fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814
SHA512 da5473d44a865774c2af86e61e5f8d4806bd151a709339290e79a623a2d43f3c85d45ae6b982d3b0d31dd4894919fe75ef98482b8240a1bebcc60709388a6b16

memory/556-48-0x0000000000A10000-0x0000000000ED6000-memory.dmp

memory/556-54-0x0000000000A10000-0x0000000000ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe

MD5 573f71ffff5af9ebedda301477dd854f
SHA1 a21ff59592bda1bd7daa7fe9bca86599d83b45f1
SHA256 aff82ef31422a3a3a4cddc302f63d4666e2fdeb307b3f5719a8069bd3dda40d8
SHA512 6717f10cf0e6f38cac8c6cab1fa55a0d584d1c8b8a3e8590f9622e2f7e82e41f2afd63663d528ad43af0ac1dd511fa01614c00590525dd194c4e3e01b59cba24

\??\pipe\crashpad_3572_GFJQXJAEEDNELRHX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\1000017002\9b16ff0cfd.exe

MD5 284eae30acd3dc873f3dafe17b5808f4
SHA1 17a373e95def586de7da03eccf683113687b620c
SHA256 87b01da26c7560632f167b214b031e25277246d93e54525334d3fd0feebebb4c
SHA512 163b6bcfca1cdbd97aa5975dabdfcc4a6063fc3c784a36e1d5fa493a919a507a2f2b85298ea106d17a4b677c70d73e31cbbf59bc4117db36ea6592cb4357abd7

memory/2772-137-0x0000000000490000-0x000000000093D000-memory.dmp

memory/1688-138-0x00000000001B0000-0x0000000000799000-memory.dmp

memory/3996-147-0x00000000000F0000-0x00000000005B6000-memory.dmp

memory/2772-146-0x0000000000490000-0x000000000093D000-memory.dmp

memory/1468-149-0x0000000000490000-0x000000000093D000-memory.dmp

memory/1468-152-0x0000000000490000-0x000000000093D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/3268-172-0x0000000000010000-0x0000000000062000-memory.dmp

memory/3604-175-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3604-177-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7f5e78e21dacd6cc09d83a68d48bbe88
SHA1 c52e5e2c3c786e355b25d6eff65a137fd740b5b2
SHA256 787d2c9f6b22c9f6395bd6cfa55f5bedccb7aacfa7e5c6952e5fbc8fdba061a1
SHA512 a9a77b51f3d9cc6360bd626e4eb0911be91f8d86609c9a2835432a04589da36b17b36ae3fdf9cea5ef20e9eb709bcbea174db8cd190a1093fa319c1418e675ce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0513dbbadcc0959c15c4696414b18076
SHA1 da6227135d13ddbd62291619944898aa3f482f7c
SHA256 f3fbdc05eaed1b33826e0bde23e5ef026412a11d99b1159b7a9a143d2a40d5ae
SHA512 01bef0df4025ca8d243b77433372bb0a186676b7975b48e9789955da66e60d1a56fb88781772cdf6a2274ac84de72c0598b704d36787234a8bef8429327a0b1d

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/3832-204-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c3c65487505099558aab16f6e59dcc4a
SHA1 9bef50f9bbfda364bce2813c0f69dc62b7bab077
SHA256 83b038d5bf2a7abaa7435af9c981193952552f2385e9c087ab85f464bc795c0e
SHA512 27222520522514f022f55c0c21fc2b181e885774f2faf2156f285876f3d9f2a5f5af8c257d4dc4f20e091bb5507644339cea6a39b74068ef2cd901e94c322c6c

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/4556-231-0x0000000000D20000-0x0000000000D72000-memory.dmp

memory/4556-232-0x0000000005D60000-0x0000000006306000-memory.dmp

memory/4556-242-0x00000000057B0000-0x0000000005842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/4868-244-0x0000000000020000-0x00000000000E0000-memory.dmp

memory/4556-247-0x00000000058A0000-0x00000000058AA000-memory.dmp

memory/4556-267-0x0000000005CA0000-0x0000000005D16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp974E.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/5244-269-0x0000000000400000-0x000000000044E000-memory.dmp

memory/5244-268-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4556-270-0x0000000006A20000-0x0000000006A3E000-memory.dmp

memory/4556-273-0x00000000072A0000-0x00000000078B8000-memory.dmp

memory/4556-274-0x0000000006DF0000-0x0000000006EFA000-memory.dmp

memory/4556-275-0x0000000006D30000-0x0000000006D42000-memory.dmp

memory/4556-276-0x0000000006D90000-0x0000000006DCC000-memory.dmp

memory/4556-277-0x0000000006F00000-0x0000000006F4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/2772-287-0x0000000000490000-0x000000000093D000-memory.dmp

memory/1688-288-0x00000000001B0000-0x0000000000799000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

MD5 d14f4b8b71b645f1f6b3ec2530d9c2d0
SHA1 c62d3a73ecff3337e59d1ecfcbfd3da77a8ca933
SHA256 069bebac87e5c2bf6e4c4bfb52a8731e1a98867a3bf1214e56da9ee7f86a62ec
SHA512 979b3f4faadf1ef7cf97d9d1fac1518c5307e10ee52a2c74406282f95c1811b075b226029fc5ceb56e1104ed1d43c2db51ed2d9a37d9153a8a532b0bd8683457

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1696768468-2170909707-4198977321-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2ebf137a-1b71-487a-a697-945baa2a07f9

MD5 f8ecf0f6aa6d01c9d46384da17e82534
SHA1 28c58f557df2404c57a27efc5195e8059a7b9d96
SHA256 3ddf7d583425da6cd209b9239c0dcd9386c22e203c42210f3f09ce05fbb9fb8c
SHA512 18c7c5e8716227edf72f24c29c78c646fa4edd53365989173ee4e8e6c805ed9f1d96e597188794b2a272730bdb865b2b2dac88ed8eaea15d2f96d962b25e43dd

memory/4868-349-0x000000001BB80000-0x000000001BBF6000-memory.dmp

memory/5804-350-0x0000000000BA0000-0x0000000000BF2000-memory.dmp

memory/4868-357-0x000000001BF30000-0x000000001BF4E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 47296628eb4bd90af9671d28eb603bc8
SHA1 76a0b9b688a1123cc848709caa539bf11df1c7b9
SHA256 e2be014e5fab42f70900a6679f67afb27fe011fe76c0ca7bb7df3accffa32b0b
SHA512 65162a2831e4f0643d04256cd99a510b4510f4c49c712977da83288949103d9784e690c6a6d3a82a12cf7aca0e12a8852eabad65ea205a8ade6e9c3a37904da8

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 ae93d341ebb48c6eb45cb1e2ff71acb5
SHA1 4dff2fed47d11482df32a51214c10183b02d9610
SHA256 fa39c29ed96ad08ddd012d81638c51bab174cc6c940dcf96f2790bdec624db53
SHA512 b37746a2cf05e14ae77d5ec92df7275585193b7f043b88726aa8bf16b193426f5371143d404480e03f0e6b5f874fc1d71489d966ce309cebf420f97a8675be29

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 182026b78ee7a71c66e5765979ee38cd
SHA1 73f8ee5fc6e251f01984c0ed36894001895bb207
SHA256 e4aa954247fe6f6a4a2b2ad65a7960bbb78d82ff11e6c3bcd6dccd3e77667e8d
SHA512 5072ec3e1004e8b4d612b1c64f19c6683402eb470333e31cc79ea3b116c6215dfc88eadb1d18e6a8b037fc82ae8093354eb0797a9743d2f8d4ca1d7fe99c11f8

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 fbb3e0a7ad273c13344e151cc5ff0985
SHA1 3730d5d9edd9e1db1abcd3501e8438212e075734
SHA256 a813c7629f4b734fe106e5187634dd0e5d2a33df3c37ddceb6d44871f2624d3c
SHA512 31385ea8abee3ea815bca79c4d6fab78e76a43af52db0c49e6b1e5a3ec707a98f5f3c68ee65cfc367d60ca9228c049b2191571190fc454da092f7c71d15cab25

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 df280e890eb8624036b4929bd4a6625e
SHA1 e12e951034fa2cb1c04c20f4ce383fed50192a9d
SHA256 40f1fdf4aad7dcb4155ee799e64490b074055254393a9a919cfab75b14f8dfcc
SHA512 fdc300cbccbdc325d5c2b0400c53adac60c46834510b38cf0260b7bd23d48f9f09a9d99cfe094392e417536aa7857f76ebe2e391de0d056b84688e9a8eb85694

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

MD5 2c8f5e7a9e670c3850b2de0d2f3758b2
SHA1 42409c886411ce73c1d6f07bbae47bf8f2db713c
SHA256 bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
SHA512 1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454

memory/5180-421-0x0000000000110000-0x000000000013E000-memory.dmp

memory/5348-424-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5348-426-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5256-431-0x0000000000400000-0x0000000002AF3000-memory.dmp

memory/4556-432-0x0000000007040000-0x00000000070A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe

MD5 24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1 de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA512 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557

C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe

MD5 c662be00aaacad366e2b23b11317edac
SHA1 29c2d6db08fc978e6fee67e5ea7e2fcadaddd847
SHA256 8b6af6cb7481b58e76dde6969caf317273d72afed263fdb28f9c34a703c4acb1
SHA512 501085db6ea486c72fe89dba05fa20e160cf521c3f34e88382290c87b1a8ca0b6bb529d84d817bf8f1375fd34840de120565a9f0693408967f5b05075606cdbb

memory/3996-460-0x00000000000F0000-0x00000000005B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 c731833c719976e09aea854d6fbe06a0
SHA1 b69725c4a91543fc7e552c8e5f9e0a335f9d3a6f
SHA256 9accd52a77588ee6600b670396e21a89ae04f8b160c66d7874331dc82d4d87e4
SHA512 62ea04800a8866e2371c96247784ee63b59fcf815a51369b2d89f52b84e068d8abc1995c65fdc7b13b6168dd542c27ad93e106c5804f6e851d3fa4fae775bbc6

memory/5348-479-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 fc81c3bd098b7bba5afa62dee37b4137
SHA1 60f82337306a6f68da4a1a9c9cc06031285af754
SHA256 f34cfe3f25517c21d91f02ccce034087acf68316806f3e4b26f14e90a2627124
SHA512 2bc3cc7b0a20c5c735ead8f8bc329ff4ab4ffb68a3f83f89c0e1642ae58157cfd62d0649f5070bac8ec7dbcae1c2f49ca6d4bd9992e0d0614f7f56dc1167b617

C:\Users\Admin\AppData\Local\Temp\u4eg.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 392aebb7a453ca47bff0f534afab918d
SHA1 af37bef0fbf6f93e1dd9ef8a0f224524f292cd36
SHA256 ba314296285075c88accce299e8582499450f14cb1d6595262991e50c69d60c8
SHA512 a49945d84ea686543b6be89f8a6415c755aa90ea57c3bd9ee18431f14ddded4c06c275faaa37911eba8fa071ed68e8bb1fbfeedc8e44dc18b2c9d30fbe247b6f

C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u4eg.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u4eg.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/2772-632-0x0000000000490000-0x000000000093D000-memory.dmp

memory/5644-633-0x000000006BF90000-0x000000006C10D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4eg.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/5644-637-0x00007FFB125C0000-0x00007FFB127C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4eg.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

memory/4556-643-0x00000000079C0000-0x0000000007A10000-memory.dmp

memory/1688-644-0x00000000001B0000-0x0000000000799000-memory.dmp

memory/5704-645-0x0000000000400000-0x0000000002B15000-memory.dmp

memory/2608-654-0x000002E854ED0000-0x000002E854EF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hj1wl5eb.pv3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/5644-682-0x000000006BF90000-0x000000006C10D000-memory.dmp

memory/5704-688-0x0000000000400000-0x0000000002B15000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 eb858201a2c5f369b9b963640809eb0b
SHA1 41b1dc523a100e4a03896da0258a4f70dc92d0c7
SHA256 f6079135b98a45ec4df978e90158aeece744512a090603804a89cfc77dfc3baf
SHA512 09f47b39fcd0ec92ed1f301983a05c166d861b962bc53f0c4f601eb7c09d42fd312bd746580f5b88d8df96e872d0a8fb08f6cec4e597558b3978d4a06c696e93

memory/5668-711-0x0000000002200000-0x0000000002251000-memory.dmp

memory/5668-715-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2772-713-0x0000000000490000-0x000000000093D000-memory.dmp

memory/3996-714-0x00000000000F0000-0x00000000005B6000-memory.dmp

memory/5948-718-0x00007FFB125C0000-0x00007FFB127C9000-memory.dmp

memory/5828-716-0x0000000000400000-0x0000000002AF0000-memory.dmp

memory/5164-717-0x0000000000400000-0x0000000002ED3000-memory.dmp

memory/2440-720-0x0000000002C80000-0x0000000002CB6000-memory.dmp

memory/2440-721-0x0000000005420000-0x0000000005A4A000-memory.dmp

memory/2440-723-0x0000000005B70000-0x0000000005BD6000-memory.dmp

memory/2440-722-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

memory/2440-732-0x0000000005C50000-0x0000000005FA7000-memory.dmp

memory/2440-733-0x0000000006140000-0x000000000615E000-memory.dmp

memory/2440-736-0x000000006C230000-0x000000006C587000-memory.dmp

memory/2440-735-0x000000006FE70000-0x000000006FEBC000-memory.dmp

memory/2440-734-0x00000000073A0000-0x00000000073D4000-memory.dmp

memory/4556-746-0x0000000008060000-0x0000000008222000-memory.dmp

memory/2440-747-0x00000000073E0000-0x0000000007484000-memory.dmp

memory/2440-745-0x0000000007360000-0x000000000737E000-memory.dmp

memory/4556-748-0x0000000008DB0000-0x00000000092DC000-memory.dmp

memory/2440-750-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/2440-749-0x0000000007B30000-0x00000000081AA000-memory.dmp

memory/2440-751-0x0000000007570000-0x000000000757A000-memory.dmp

memory/2440-752-0x0000000007780000-0x0000000007816000-memory.dmp

memory/2608-755-0x000002E854F40000-0x000002E854F4A000-memory.dmp

memory/2440-754-0x00000000076F0000-0x0000000007701000-memory.dmp

memory/2608-753-0x000002E854F60000-0x000002E854F72000-memory.dmp

memory/2440-761-0x0000000007720000-0x000000000772E000-memory.dmp

memory/2440-762-0x0000000007730000-0x0000000007745000-memory.dmp

memory/2440-763-0x0000000007820000-0x000000000783A000-memory.dmp

memory/2440-765-0x0000000007770000-0x0000000007778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 e103f8e38392ed57b61f7cf9987dab78
SHA1 85fe889dac27e81c856960cc2cf74724dc3f8826
SHA256 340c5932e4d76f069f4895205ca5f6b0ab62570991cf95b448b92eb068370d41
SHA512 05ae6c3d8c08a705f3f37810caa2f85bbea6d7128402e6d4576fa0cf72d1a76d69d7feacd7b61851f3006fc4fa04b4fc530c2ccc2097d7bfe454eb1f7d117dd1

memory/5668-785-0x0000000002200000-0x0000000002251000-memory.dmp

memory/1688-790-0x00000000001B0000-0x0000000000799000-memory.dmp

memory/1688-788-0x00000000001B0000-0x0000000000799000-memory.dmp

memory/3996-789-0x00000000000F0000-0x00000000005B6000-memory.dmp

memory/5828-793-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\CAFBGDHC

MD5 43a9e929067784c1aed076f3ef079e8f
SHA1 ca70c6fe08bff62fe9158ade07b40f250c7cb6d1
SHA256 62ea6e46a4ff16ef8803b8169a5536278baddc9e058474629d57b1d754ff2349
SHA512 5eff33797f696df19a104b7bfaf3d2f51bd629cdca11e5544017ebc7af0df86b484fe1f53f38e0c6aed52eb4f099fcca353dc4726074fe69c423b948012ed08e

memory/3604-820-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/5828-819-0x0000000000400000-0x0000000002AF0000-memory.dmp

C:\ProgramData\BGDHDAFI

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

memory/3996-831-0x00000000000F0000-0x00000000005B6000-memory.dmp

memory/5164-830-0x0000000000400000-0x0000000002ED3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 97902d229f270491f5958580ed634871
SHA1 9e9c72719d056ef10cea47fe8cb52eccb91b633a
SHA256 661be657b45ae58c39cec70fa7f05e76a7bcfcd848d340cda3e41c860e41846d
SHA512 2e4f3d17cc002819869fdbc016c53e1870d0536c25428294a2c6a2727859cbfe96b8015cff3b026660fbb8b038c3f885e727f6bf09c4e6a55e27458aaeb21627

memory/3604-846-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2772-847-0x0000000000490000-0x000000000093D000-memory.dmp

memory/4192-849-0x0000022FCC300000-0x0000022FCFBF8000-memory.dmp

memory/4192-850-0x0000022FEA450000-0x0000022FEA560000-memory.dmp

memory/4192-852-0x0000022FD1900000-0x0000022FD190C000-memory.dmp

memory/4192-853-0x0000022FD18E0000-0x0000022FD18F4000-memory.dmp

memory/4192-851-0x0000022FD0090000-0x0000022FD00A0000-memory.dmp

memory/4192-854-0x0000022FEA140000-0x0000022FEA164000-memory.dmp

memory/4192-858-0x0000022FEA170000-0x0000022FEA17A000-memory.dmp

memory/4192-859-0x0000022FEA6B0000-0x0000022FEA762000-memory.dmp

memory/4192-862-0x0000022FEA7C0000-0x0000022FEA7EA000-memory.dmp

memory/4192-861-0x0000022FEA760000-0x0000022FEA7C2000-memory.dmp

memory/4192-860-0x0000022FEA1B0000-0x0000022FEA22A000-memory.dmp

memory/4192-863-0x0000022FD18C0000-0x0000022FD18CA000-memory.dmp

memory/4192-867-0x0000022FEA8C0000-0x0000022FEABC0000-memory.dmp

memory/4192-869-0x0000022FEF320000-0x0000022FEF328000-memory.dmp

memory/4192-871-0x0000022FEEC70000-0x0000022FEEC7E000-memory.dmp

memory/4192-870-0x0000022FEECA0000-0x0000022FEECD8000-memory.dmp

memory/4192-873-0x0000022FEF340000-0x0000022FEF362000-memory.dmp

memory/4192-872-0x0000022FEF5C0000-0x0000022FEF5CA000-memory.dmp

memory/4192-874-0x0000022FEFB00000-0x0000022FF0028000-memory.dmp

memory/4192-877-0x0000022FEF3B0000-0x0000022FEF400000-memory.dmp

memory/4192-878-0x0000022FEF360000-0x0000022FEF36C000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/5616-911-0x0000000000500000-0x00000000005C6000-memory.dmp

memory/1736-922-0x0000000005A80000-0x0000000005DD7000-memory.dmp

memory/1736-923-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/1736-932-0x0000000070620000-0x000000007066C000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b